Setup dropbear, and have another encrypted instance that runs a cron that runs a script every minute to check for the dropbear port on all instances and sshes in and passes the key to boot.
This is what I do for fastcomments anyway for ovh and hetzner
What is the threat model you want to mitigate using encryption at rest? Is it that a physical disk is not properly wiped after usage? Then you could just use luks and store the key anywhere else, e.g. another machine or an external volume…
If you need disk encryption on Hetzner, I built a Terraform module that sets up a Kubernetes cluster with encrypted disks enabled by default: https://github.com/hcloud-k8s/terraform-hcloud-kubernetes
Their installer script supports LUKS.
Setup dropbear, and have another encrypted instance that runs a cron that runs a script every minute to check for the dropbear port on all instances and sshes in and passes the key to boot.
This is what I do for fastcomments anyway for ovh and hetzner
What is the threat model you want to mitigate using encryption at rest? Is it that a physical disk is not properly wiped after usage? Then you could just use luks and store the key anywhere else, e.g. another machine or an external volume…
To answer from a Kubernetes perspective: Both OpenEBS Mayastor and LocalZFS now support disk encryption.
Encrypted disks are easily setup with archlinux + LUKS + tinySSH, you can remote unlock via SSH.