kubeseal

Seal secret

$ kubeseal < [secret.yaml] > [sealed-secret.yaml]

$ kubeseal --controller-name=[sealed-secrets] < [secret.yaml]

$ kubeseal --namespace=[namespace] < [secret.yaml]

$ kubeseal --fetch-cert > [cert.pem]

$ kubectl create secret generic [name] --dry-run=client -o yaml | kubeseal

kubeseal [options]

kubeseal is a client-side tool for encrypting Kubernetes Secret resources into SealedSecret objects that are safe to store in version control. It uses asymmetric encryption with a public key fetched from the Sealed Secrets controller running in the cluster, ensuring that only that specific controller can decrypt the data back into a usable Secret.
The tool reads a standard Kubernetes Secret from stdin or a file, encrypts it, and outputs a SealedSecret custom resource in YAML or JSON format. This enables GitOps workflows where all cluster configuration, including secrets, can be committed to a Git repository without exposing sensitive values. Each SealedSecret is scoped to a specific namespace and cluster by default, preventing re-use of encrypted data across environments.

--controller-name NAME

Sealed Secrets controller name.

Controller namespace.

Target namespace.

Fetch public certificate.

Output format (yaml, json).

Display help information.

Requires Sealed Secrets controller. Cluster-specific encryption. Backup keys carefully.

kubeseal is part of Sealed Secrets by Bitnami for secure secret management in GitOps workflows.

kubectl(1), sops(1), vault(1)