kubeseal

Encrypt a Kubernetes secret from a YAML file into a SealedSecret (default JSON output)

$ kubeseal < [secret.yaml] > [sealedsecret.json]

$ kubeseal < [secret.yaml] [[-o|--format]] [yaml|json] --token [my-bearer-token] > [sealedsecret.yaml]

$ kubeseal < [secret.yaml] --controller-namespace [controller-namespace] --controller-name [controller-name] > [sealedsecret.yaml]

$ kubeseal --raw --from-file [path/to/secret.txt] --name [my-secret] --scope [strict|namespace-wide|cluster-wide] > [sealedsecret.yaml]

$ kubeseal --fetch-cert --username [username] --password [password] > [cert.pem]

$ kubeseal < [secret.yaml] --cert [cert.pem] > [sealedsecret.yaml]

$ kubeseal < [secret.yaml] --merge-into [sealedsecret.yaml]

$ kubeseal < [sealedsecret.yaml] --validate

kubeseal [OPTIONS] [FILE]

-c, --cert=PUBLIC_KEY
    Path to public RSA key or PEM-encoded certificate (default: ~/.kube/secrets.pub)

--cert-fp=FINGERPRINT
    Expected certificate fingerprint for verification

-n, --namespace=NS
    Namespace for SealedSecret (default: input Secret's namespace)

--name=NAME
    Name for the SealedSecret (default: input Secret's name)

-o, --output=FORMAT
    Output format: yaml or json (default: yaml)

--scope=SCOPE
    Decryption scope: strict, namespace-wide, or cluster-wide (default: strict)

--controller-name=NAME
    Sealed Secrets controller name (default: sealed-secrets-controller)

--controller-namespace=NS
    Controller namespace (default: sealed-secrets)

-f, --filename=FILE
    Input Secret file(s), or - for stdin (repeatable)

--kubeconfig=FILE
    Path to kubeconfig file

--context=CONTEXT
    Kubeconfig context

--dry-run
    Dry run: output SealedSecret without applying

--fetch-cert
    Fetch public cert from cluster (overrides --cert)

--allow-plaintext
    Allow sealing unencrypted plaintext Secrets (not recommended)

--recover
    Recover original Secret from SealedSecret

--sealedsecret-name=NAME
    SealedSecret name for recovery

--sealedsecret-namespace=NS
    SealedSecret namespace for recovery

--version
    Print version information

-h, --help
    Show help

Kubeseal is a utility from the Sealed Secrets project by Bitnami Labs, designed to securely encrypt Kubernetes Secrets for storage in version control systems like Git. Traditional Secrets are base64-encoded and readable in plain text from etcd or manifests, posing security risks in GitOps workflows. Kubeseal addresses this by encrypting Secrets using a public key from the Sealed Secrets Controller, producing a SealedSecret Custom Resource.

The workflow is straightforward: generate or provide a Secret YAML, run kubeseal to seal it, commit the output to Git, and apply it via kubectl. The controller in the cluster—deployed separately—decrypts it using its private key, recreating the original Secret. Scopes control decryption: strict (exact namespace/name match), namespace-wide, or cluster-wide.

Key benefits include git safety, immutability post-sealing, and recovery options. It supports stdin/stdout, multiple files, dry-runs, and fetching certs directly from the cluster. Recent versions add age encryption support for keyless setups. Kubeseal requires kubectl access and integrates seamlessly with tools like Helm and Kustomize for GitOps pipelines.

Requires Sealed Secrets Controller deployed in cluster with matching cert. Plaintext sealing discouraged. Cluster-wide scopes risk over-decryption. No built-in support for dynamic cert rotation.

Client: brew install bitnami-labs/tap/kubeseal, or binaries from GitHub releases.
Controller: kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/latest/download/sealed-secrets.yaml
Extract cert: kubeseal --fetch-cert --kubeconfig > pub-cert.pem

echo -n 'prod' | kubeseal --controller-namespace sealed-secrets -o yaml > secret.yaml
kubectl apply -f secret.yaml

Introduced in 2018 by Bitnami Labs as part of Sealed Secrets v0.1. Evolved for GitOps popularity, with v0.24+ adding age encryption and improved RBAC. Maintained on GitHub with 8k+ stars.

kubectl(1), kustomize(1), helm(1)