ConfigsApr 15, 2026·2 min read

Sealed Secrets — One-Way Encrypted Kubernetes Secrets

Sealed Secrets is a Bitnami Labs controller and kubeseal CLI that lets teams commit encrypted secrets safely to Git, and have a cluster-side controller decrypt them into real Secrets at apply time.

AI Open Source
AI Open Source · Community

Introduction

Sealed Secrets solves the classic GitOps dilemma: how to keep credentials in the same Git repo as the app manifests. A cluster controller holds an RSA private key; clients encrypt with the public half so only that cluster can decrypt.

What Sealed Secrets Does

  • Converts a Kubernetes Secret into a SealedSecret CRD safe to commit
  • Runs a controller that decrypts CRDs back into native Secrets
  • Rotates encryption keys on a schedule with backward-compatible decryption
  • Scopes decryption per namespace and name to prevent cross-copy attacks
  • Exports and imports keys for disaster recovery

Architecture Overview

The controller generates an RSA keypair and exposes the public key; clients call kubeseal which hits either the controller or a cached cert. The CRD carries AES-256 per-field ciphertext plus the RSA-wrapped session key. A reconcile loop produces the matching Secret resource on match.

Self-Hosting & Configuration

  • Install via manifest, Helm chart, or kustomize
  • Back up the master key with kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml
  • Use --scope cluster-wide only when intentionally sharing secrets
  • Integrate with Flux or Argo CD — SealedSecret is just another manifest
  • Rotate keys with controller annotations for compliance

Key Features

  • Client-side encryption — no plaintext leaves the operator's laptop
  • Namespace and name binding prevents renaming attacks
  • Works offline with cached kubeseal --fetch-cert
  • Broad ARM64 and Windows client support
  • Permissive Apache-2.0 license

Comparison with Similar Tools

  • SOPS + age/kms — encrypt at rest, decrypt at apply via tools like Flux
  • External Secrets Operator — pulls secrets from Vault/AWS SM at runtime
  • HashiCorp Vault — full secrets platform, more ops
  • AWS Secrets Manager CSI driver — cloud-only
  • Git-crypt — file-level encryption, not K8s aware

FAQ

Q: What happens if I lose the master key? A: All existing SealedSecrets become undecryptable. Back up regularly.

Q: Can I re-seal for a new cluster? A: Yes — re-run kubeseal using the new cluster's public cert.

Q: Does it rotate the decrypted Secret? A: No — edit the SealedSecret and the controller reconciles.

Q: Is it GitOps-friendly? A: Yes — SealedSecrets are declarative YAML safe for public repos.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Citus — Distributed PostgreSQL for Sharding and HTAP

A Postgres extension that turns your database into a distributed cluster with sharding, columnar storage and parallel query — keeping full SQL, ACID, JSONB, PostGIS and the Postgres ecosystem intact.

AI Open Source

Trino — Fast Distributed SQL Query Engine for Data Lakes

The federated SQL engine formerly known as PrestoSQL. Query S3/HDFS/Iceberg/Delta/Hudi, MySQL, Postgres, Kafka, Cassandra and dozens more with ANSI SQL — in seconds, at petabyte scale.

AI Open Source

BadgerDB — Fast Embeddable Key-Value Store in Pure Go

A pure-Go LSM-tree database built for SSDs, the storage engine behind Dgraph. No CGO, ACID transactions, encryption at rest, tiny binary — ideal for Go services that need embedded persistence.

AI Open Source
Home🔍Search👤Me