From 420be7f865df114f53e651eb2a2a32a01b953c49 Mon Sep 17 00:00:00 2001
From: Tao Li <taotao12@gmail.com>
Date: Mon, 26 Mar 2018 13:04:10 -0700
Subject: [PATCH] Add one more faq for secret encryption (#1096)

---
 _faq/security/secret-encryption.md | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 _faq/security/secret-encryption.md

diff --git a/_faq/security/secret-encryption.md b/_faq/security/secret-encryption.md
new file mode 100644
index 0000000000..2051a536c5
--- /dev/null
+++ b/_faq/security/secret-encryption.md
@@ -0,0 +1,10 @@
+---
+title: Is the secret encrypted for workload key and cert?
+order: 125
+type: markdown
+---
+{% include home.html %}
+
+By default, they are base64 encoded but not encrypted. However, the [secret encryption feature](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) is supported in Kubernetes and you can do it by following the instruction.
+
+Notice that this feature is not enabled yet in Google Container Enginer (GKE). While the data may not be encrypted inside the etcd running on the master node, the contents of the master node itself are encrypted, see [here](https://cloud.google.com/security/encryption-at-rest/default-encryption/#encryption_of_data_at_rest) for more info.