Skip to main content
Sealed Secrets provides a secure, GitOps-friendly method for managing Kubernetes Secrets by encrypting them for safe storage in public repositories. With Sealed Secrets, you can commit encrypted manifests to GitHub without exposing sensitive data. Only your Kubernetes cluster—where the Sealed Secrets Operator is running—can decrypt these manifests back into native Secret objects.

Key Components

ComponentRoleTypical Usage
Sealed Secrets OperatorCluster-side controllerWatches for SealedSecret CRs and converts them into standard Secrets
kubeseal CLILocal or CI command-line utilityEncrypts plain Secret manifests into SealedSecret manifests
SealedSecret Custom ResourceCRD defining encrypted secret schemaLets the Operator recognize and decrypt your encrypted payloads automatically
  • A running Kubernetes cluster (v1.13+).
  • The Sealed Secrets Operator installed:
    kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.23.0/controller.yaml
  • Public key accessible for kubeseal:
    kubeseal --fetch-cert > public-cert.pem
Always back up the private key used by the Sealed Secrets controller. Losing it means you won’t be able to decrypt existing SealedSecret resources.

GitOps Workflow for Encrypted Secrets

  1. Define a Kubernetes Secret
    Create a plain Secret manifest (e.g., db-credentials.yaml).
  2. Encrypt with kubeseal 
    kubeseal \
  --format=yaml \
  --cert=public-cert.pem \
  < db-credentials.yaml \
  > sealed-db-credentials.yaml
  3. Commit to Git
    Push the SealedSecret manifest (sealed-db-credentials.yaml) to your repository.
  4. Automatic Decryption
    The Sealed Secrets Operator detects the new SealedSecret, decrypts it, and generates a standard Secret for your pods to consume.

Watch Video