You can also configure the apiserver/etcd to encrypt specific keyspaces, such as the secrets/ key space.