Skip to content

Use of Cryptography

Compliant Kubernetes recommends the ECRYPT-CSA "near term use". The key cryptographic parameters are listed below.

Cryptographic Structure Size
Symmetric 128
Factoring Modulus 3072
Discrete Logarithm 256/3072
Elliptic Group 256
Hash 256
Function Algorithm
Block Ciphers AES
Hash Functions SHA-2 (256, 384, 512, 512/256)
SHA-3 (256, 384, 512, SHAKE128, SHAKE256)
Whirlpool (512)
BLAKE (256, 584, 512)
Public Key Primitive RSA (>3072)
DSA (>256/3072)
ECDSA (>256)

Ubuntu 22.04 already generates SSH and GPG keys conforming to this recommendation, as evidenced below:

$ ssh-keygen
Generating public/private rsa key pair.
+---[RSA 3072]----+
|           o+.=++|
|           +o..= |
|        = =...o  |
|       O @.    o |
|      . S +.  . .|
|       + B  .. .E|
|      . O o ..o  |
|       o + +o... |
|          +oo=o  |
$ gpg --generate-key
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
pub   rsa3072 2023-03-24 [SC] [expires: 2025-03-23]
uid                      Cristian Klein <>
sub   rsa3072 2023-03-24 [E] [expires: 2025-03-23]

Notes on HTTPS Traffic

For HTTPS traffic, Compliant Kubernetes allows either TLS 1.2 or TLS 1.3. TLS 1.3 mandates forward secrecy. TLS 1.2 makes forward secrecy optional, however, the default cipher list in Compliant Kubernetes prioritizes algorithms that provide perfect forward secrecy. In brief, you can rely on forward secrecy with most browsers in use today.

Forward secrecy addresses the "store now, decrypt later" attack. In essence, an attacker cannot decrypt past HTTPS transmissions even if the TLS certificate (private key) is compromised.

Compliant Kubernetes uses RSA 2048 when provisioning HTTPS certificates, which is lower than the present recommendation. However, these certificates have a short expiration time of 3 months. Hence, with short certificate expiration time and forward secrecy, usage of RSA 2048 for HTTPS certificates does not add a security risk.

We recommend you to regularly run the Qualys SSL Server Test against the application HTTPS endpoints to make sure encrypted-in-transit sufficiently protects your data. At the time of this writing, Compliant Kubernetes receives A+ overall rating.

Further Reading