Skip to content

Commit

Permalink
Merge pull request #12127 from spzala/automated-cherry-pick-of-#12012…
Browse files Browse the repository at this point in the history 
…-upstream-release-3.4

Automated cherry pick of #12012
  • Loading branch information
@spzala
spzala authored Jul 13, 2020
2 parents d3a702a + 67bfc31 commit a2c3748
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions Documentation/op-guide/security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -426,8 +426,14 @@ Make sure to sign the certificates with a Subject Name the member's public IP ad

The certificate needs to be signed for the member's FQDN in its Subject Name, use Subject Alternative Names (short IP SANs) to add the IP address. The `etcd-ca` tool provides `--domain=` option for its `new-cert` command, and openssl can make [it][alt-name] too.

### Does etcd encrypt data stored on disk drives?
No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to encrypt data stored on etcd, there are some options:
* Let client applications encrypt and decrypt the data
* Use a feature of underlying storage systems for encrypting stored data like [dm-crypt]

[cfssl]: https://github.com/cloudflare/cfssl
[tls-setup]: ../../hack/tls-setup
[tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md
[alt-name]: http://wiki.cacert.org/FAQ/subjectAltName
[auth]: authentication.md
[dm-crypt]: https://en.wikipedia.org/wiki/Dm-crypt

0 comments on commit a2c3748

Please sign in to comment.