Forum Discussion

the-capricorn's avatar
the-capricorn
Occasional Reader
Apr 20, 2026

AKS on AzureLocal: KMSv1 -> KMSv2

Hey, quick question on AKS Arc — we're running moc-kms-plugin:0.2.172-official on an Arc-enabled AKS cluster on Azure Local and currently have KMSv1=true as a feature gate to keep encryption at rest ...
aks
Azure Stack HCI
HCI
updates
Kidd_Ip's avatar
Kidd_Ip
MVP
Apr 23, 2026

KMSv1 is deprecated in Kubernetes 1.28+ and disabled by default in 1.29, so migration to KMSv2 is required. The Microsoft‑managed moc-kms-plugin used in AKS Arc on Azure Local is being updated to support the KMSv2 gRPC API, but version 0.2.172-official does not yet expose full KMSv2 functionality. Migration for Arc clusters will come through platform updates rather than manual plugin replacement.

 

https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/

 

https://github.com/MicrosoftDocs/azure-stack-docs/blob/main/AKS-Arc/encrypt-etcd-secrets.md