diff --git a/docs/encrypting-secret-data-at-rest.md b/docs/encrypting-secret-data-at-rest.md
new file mode 100644
index 0000000000000000000000000000000000000000..36742821e85719db0e94ed6201587e4846faeee2
--- /dev/null
+++ b/docs/encrypting-secret-data-at-rest.md
@@ -0,0 +1,22 @@
+# Encrypting Secret Data at Rest
+
+Before enabling Encrypting Secret Data at Rest, please read the following documentation carefully.
+
+<https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/>
+
+As you can see from the documentation above, 5 encryption providers are supported as of today (22.02.2022).
+
+As default value for the provider we have chosen `secretbox`.
+
+Alternatively you can use the values `identity`, `aesgcm`, `aescbc` or `kms`.
+
+| Provider | Why we have decided against the value as default                                                                                                                                         |
+|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| identity | no encryption                                                                                                                                                                    |
+| aesgcm   | Must be rotated every 200k writes                                                                                                                                                        |
+| aescbc   | Not recommended due to CBC's vulnerability to padding oracle attacks.                                                                                                                    |
+| kms      | Is the official recommended way, but assumes that a key management service independent of Kubernetes exists, we cannot assume this in all environments, so not a suitable default value. |
+
+## Details about Secretbox
+
+Secretbox uses [Poly1305](https://cr.yp.to/mac.html) as message-authentication code and [XSalsa20](https://www.xsalsa20.com/) as secret-key authenticated encryption and secret-key encryption.
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
index 242cd39d82f61efa874784afe576af3b0ded5386..ac23e5b5db71cbf84096e8622132e6d3521d9e24 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
@@ -146,7 +146,7 @@ kube_proxy_nodeport_addresses: >-
 #   {{ inventory_hostname }}
 #   {%- endif -%}
 
-## Encrypting Secret Data at Rest (experimental)
+## Encrypting Secret Data at Rest
 kube_encrypt_secret_data: false
 
 # Graceful Node Shutdown (Kubernetes >= 1.21.0), see https://kubernetes.io/blog/2021/04/21/graceful-node-shutdown-beta/
diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 65ba43a4692dd14b6aa8e3dc26ecab78c8f9643a..ad703702950025cc977e81d10648f93a485ebd37 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -144,7 +144,7 @@ controller_manager_extra_volumes: {}
 kube_encrypt_secret_data: false
 kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
 # Must be either: aescbc, secretbox or aesgcm
-kube_encryption_algorithm: "aescbc"
+kube_encryption_algorithm: "secretbox"
 # Which kubernetes resources to encrypt
 kube_encryption_resources: [secrets]