Encrypting etcd at rest

[firstdorsal]

As I understand talos only runs inside the ram and does not use the disk.
I would like to have all my data encrypted at rest. Longhorn does have a way to encrypt its volumes (using luks) storing the keys in the kubernetes secrets. To achieve the full encryption at rest the etcd data would need to be encrypted. This could also be done with luks I assume. So having talos on a stick, have a hard drive with a 20GB luks encrypted partition for etcd and the rest for storage with Longhorn or similar.

Now my question is how this luks encrypted partitions could be set up with talos and of course also how it could be decrypted remotely on all nodes of the cluster after a full cluster shutdown/restart or is there even a better way to achieve full disk encryption on all nodes at rest?

[smira]

Talos already configures Kubernetes to do encryption at rest for Secrets (resources).

Talos supports disk encryption for EPHEMERAL partition: https://www.talos.dev/v1.6/talos-guides/configuration/disk-encryption/

[firstdorsal]

How is it decrypted?
How can this be used with a KMS?
Would it be possible to run a talosctl command to decrypt the data of all the (control plane) machines when starting the cluster?

I would like to send a wake on lan signal to the machines then enter the encryption key and then have the cluster running.

I read somewhere in your documentation that talos claims the full drive when installing, so it is not at all possible to partition the boot drive and use it for anything else?

[smira]

Please read the documentation above, it has all details on what is available right now. Full drive is not possible for obvious reasons (bootloader).