Google Cloud, which was already encrypting data at rest by default, including data in Google Kubernetes Engine (GKE), is adding application-layer secrets encryption using the same keys in its hosted Cloud Key Management Service (KMS).
Application-layer secrets encryption, which is now in beta in GKE, protects secrets with envelope encryption: secrets are encrypted locally in AES-CBC mode with a local data encryption key, and the data encryption key is encrypted with a key encryption key managed in Cloud KMS as the root of trust.
Google Cloud said the new capability provides flexibility for specific security models.
https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-encrypting-kubernetes-secrets-with-cloud-kms
