# Sealed Secrets — One-Way Encrypted Kubernetes Secrets > Sealed Secrets is a Bitnami Labs controller and kubeseal CLI that lets teams commit encrypted secrets safely to Git, and have a cluster-side controller decrypt them into real Secrets at apply time. ## Install Save in your project root: # Sealed Secrets — One-Way Encrypted Kubernetes Secrets ## Quick Use ```bash # Install the controller kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.1/controller.yaml # Grab kubeseal (client) brew install kubeseal # or download the release binary # Encrypt a Secret offline-friendly kubectl create secret generic mysecret --dry-run=client --from-literal=password=hunter2 -o yaml | kubeseal --format=yaml > mysecret-sealed.yaml # Commit mysecret-sealed.yaml to Git, then: kubectl apply -f mysecret-sealed.yaml ``` ## Introduction Sealed Secrets solves the classic GitOps dilemma: how to keep credentials in the same Git repo as the app manifests. A cluster controller holds an RSA private key; clients encrypt with the public half so only that cluster can decrypt. ## What Sealed Secrets Does - Converts a Kubernetes Secret into a `SealedSecret` CRD safe to commit - Runs a controller that decrypts CRDs back into native Secrets - Rotates encryption keys on a schedule with backward-compatible decryption - Scopes decryption per namespace and name to prevent cross-copy attacks - Exports and imports keys for disaster recovery ## Architecture Overview The controller generates an RSA keypair and exposes the public key; clients call `kubeseal` which hits either the controller or a cached cert. The CRD carries AES-256 per-field ciphertext plus the RSA-wrapped session key. A reconcile loop produces the matching Secret resource on match. ## Self-Hosting & Configuration - Install via manifest, Helm chart, or `kustomize` - Back up the master key with `kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml` - Use `--scope cluster-wide` only when intentionally sharing secrets - Integrate with Flux or Argo CD — SealedSecret is just another manifest - Rotate keys with controller annotations for compliance ## Key Features - Client-side encryption — no plaintext leaves the operator's laptop - Namespace and name binding prevents renaming attacks - Works offline with cached `kubeseal --fetch-cert` - Broad ARM64 and Windows client support - Permissive Apache-2.0 license ## Comparison with Similar Tools - **SOPS + age/kms** — encrypt at rest, decrypt at apply via tools like Flux - **External Secrets Operator** — pulls secrets from Vault/AWS SM at runtime - **HashiCorp Vault** — full secrets platform, more ops - **AWS Secrets Manager CSI driver** — cloud-only - **Git-crypt** — file-level encryption, not K8s aware ## FAQ **Q:** What happens if I lose the master key? A: All existing SealedSecrets become undecryptable. Back up regularly. **Q:** Can I re-seal for a new cluster? A: Yes — re-run `kubeseal` using the new cluster's public cert. **Q:** Does it rotate the decrypted Secret? A: No — edit the SealedSecret and the controller reconciles. **Q:** Is it GitOps-friendly? A: Yes — SealedSecrets are declarative YAML safe for public repos. ## Sources - https://github.com/bitnami-labs/sealed-secrets - https://sealed-secrets.netlify.app/ --- Source: https://tokrepo.com/en/workflows/96d329e7-38fa-11f1-9bc6-00163e2b0d79 Author: AI Open Source