"Sealed Secrets" for Kubernetes

Sealed Secrets provides declarative Kubernetes Secret Management in a secure way. Since the Sealed Secrets are encrypted, they can be safely stored in a code repository. This enables an easy to implement GitOps flow that is very popular among the OSS community.

On your command line

Sealed Secrets offers a powerful CLI tool (kubeseal) to one-way encrypt your Kubernetes Secret easily.

On your K8S cluster

The Sealed Secrets controller will decrypt any Sealed Secret into its equivalent Kubernetes Secret

On your code repository

Sealed Secrets are safe to store in your local code repository, along with the rest of your configuration.

Learn More About Sealed Secrets

Learn more about Sealed Secrets and how to create secure Secrets in Kubernetes

Advanced Cryptography with Sealed Secrets

How to apply the best possible encryption to your Sealed Secrets, from using customized Certificates to post-quantum recomendations.


One-way Encryption

SealedSecrets are a "write only" device. The idea is that the SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret.

Learn more

Sealing key renewal

Sealing keys are automatically renewed every 30 days. Which means a new sealing key is created and appended to the set of active sealing keys the controller can use to unseal Sealed Secret resources.

Learn more

Sealed Secrets Metrics

The Sealed Secrets Controller running in Kubernetes exposes Prometheus metrics. These metrics enable operators to observe how it is performing. For example how many SealedSecret unseals have been attempted and how many errors may have occured due to RBAC permissions, wrong key, corrupted data, etc.

Learn more

Meet the Sealed Secrets team:

Alfredo García

Alfredo García


Alvaro Neira

Alvaro Neira



Sealed Secrets is released as open-source software and provides community support through our GitHub project page. If you encounter an issue or have a question, feel free to reach out on the GitHub issues page for Sealed Secrets.

The Sealed Secrets project team welcomes contributions from the community — please have a look at our contributing documentation.

Getting started

Discover how to deploy Sealed Secrets in your cluster, and start managing your Kubernetes Secrets in a secure way!