How Sealed Secrets Work: Encrypting Secrets for GitOps Workflows

Written By:
Founder & CTO
June 20, 2025
Introduction to Sealed Secrets in Kubernetes and GitOps

In the ever-evolving world of Kubernetes and DevOps, securing sensitive data like credentials, tokens, certificates, and keys is not just an operational requirement, it’s a security imperative. As more teams embrace GitOps workflows, where the entire system configuration is stored in version-controlled repositories, managing secrets securely becomes even more critical. That’s where Sealed Secrets come into the picture.

Sealed Secrets, introduced by Bitnami, solve one of the most pressing problems for Kubernetes operators and developers: how to manage Kubernetes secrets securely in a Git-centric, declarative infrastructure. With Sealed Secrets, developers can safely store encrypted secrets in a public or private Git repository, knowing they will be decrypted only by the intended Kubernetes cluster and controller.

The central idea is simple but powerful: encrypt secrets before committing them to Git, using a controller in the Kubernetes cluster that holds the private decryption key. This lets teams fully embrace GitOps principles while maintaining strict security standards.

Understanding the Core Architecture of Sealed Secrets
Sealed Secrets Controller – The Heart of the Workflow

At the core of Sealed Secrets is the Sealed Secrets controller, a Kubernetes-native component that performs the essential job of decrypting SealedSecrets resources and transforming them into traditional Kubernetes Secrets. It runs inside the Kubernetes cluster and is deployed as a controller, typically within the kube-system or a custom namespace.

When you install this controller, it automatically generates a cryptographic key pair. The private key remains secure inside the cluster, used only by the controller, while the public key is made accessible so that developers can encrypt secrets before they reach the cluster. This split of responsibility ensures that sensitive data never leaves the developer's machine in an unencrypted format.

kubeseal CLI – Encrypting Secrets from the Developer’s Workstation

To encrypt Kubernetes Secrets into Sealed Secrets, developers use the kubeseal command-line tool. This tool interacts with the Sealed Secrets controller to retrieve the public key and use it to encrypt secrets. This encryption happens entirely on the client side, meaning the actual secret values never need to travel over the network unencrypted or touch any CI/CD pipeline in plaintext.

Developers create a standard Kubernetes Secret manifest, then use kubeseal to convert it into a SealedSecret manifest. This new SealedSecret resource is safe to commit to Git, push to remote repositories, and include in GitOps automation pipelines.

End-to-End Encryption Workflow in Sealed Secrets
Step 1: Public/Private Key Generation and Secure Storage

When the Sealed Secrets controller is deployed into a Kubernetes cluster, it automatically generates an asymmetric RSA key pair. This key pair plays a pivotal role in ensuring that secrets can be encrypted externally and decrypted securely within the cluster.

  • The private key is stored in a Kubernetes Secret within the controller’s namespace.

  • The public key is fetched by kubeseal either automatically or manually via kubeseal --fetch-cert.

This asymmetric encryption model ensures that even if someone has access to the public key, they cannot decrypt any data sealed with it unless they also have access to the private key.

Step 2: Encrypting Secrets Locally

After fetching the public key, the next step is to encrypt a standard Kubernetes Secret into a SealedSecret. This encryption includes both:

  • Symmetric encryption: Encrypting the actual secret data using AES encryption.

  • Asymmetric encryption: Encrypting the AES key using the controller’s RSA public key.

This hybrid encryption strategy provides a strong balance of performance and security. Once encrypted, this SealedSecret object is safe to store in Git, even in public repositories, without exposing sensitive information.

Step 3: Deploying Sealed Secrets via GitOps

Once committed to the Git repository, Sealed Secrets become part of your infrastructure-as-code (IaC). Tools like FluxCD, ArgoCD, or custom CI/CD scripts will apply the SealedSecrets to your Kubernetes cluster.

Upon detecting a new SealedSecret resource, the controller does the following:

  1. Decrypts the secret using the private key.

  2. Recreates the original Kubernetes Secret object.

  3. Makes it available in the cluster as if it were created directly by kubectl.

This workflow integrates seamlessly with GitOps practices, offering both automation and security without compromise.

Scoping and Access Control for Sealed Secrets
Strict, Namespace-Wide, and Cluster-Wide Scoping

Sealed Secrets supports multiple scoping strategies that dictate where and how a sealed secret can be decrypted. These options give teams flexibility based on their security policies:

  • Strict scope (default): The sealed secret is bound to a specific namespace and name. It cannot be decrypted in any other location.

  • Namespace-wide scope: The secret can be decrypted in any resource with the same name within the same namespace.

  • Cluster-wide scope: The most permissive, allowing the sealed secret to be decrypted anywhere in the cluster, regardless of namespace.

The scoping mechanism adds a powerful layer of security by enforcing contextual binding. Even if a SealedSecret is somehow leaked, it can only be decrypted in the intended context.

Role-Based Access Control (RBAC)

Access to Sealed Secrets can be tightly managed using Kubernetes RBAC policies. By restricting who can create SealedSecrets or fetch the public key, administrators ensure that only trusted CI/CD processes or developers can contribute new secrets to the system. This makes it easy to integrate with enterprise-grade security and auditing practices.

Why Developers Love Sealed Secrets
Seamless Developer Experience

Sealed Secrets drastically improve the developer experience by simplifying secret management. Developers no longer need to manage shared vaults, rotate credentials manually, or worry about secrets leaking in Git history.

With just one command, they can encrypt a secret and push it to Git, knowing that it's safe by design. No change in deployment logic, no separate tools for decrypting at runtime, and no runtime secrets injection issues.

Safe by Default

Sealed Secrets ensures that secrets are never stored in plaintext, either locally or in CI/CD pipelines. Every SealedSecret is write-only, once created, it cannot be decrypted by the developer or pipeline. Only the controller inside the Kubernetes cluster can decrypt and use it. This provides immutable, tamper-proof secret management.

GitOps Native

Because Sealed Secrets can be safely committed to Git, they align perfectly with GitOps principles. Every infrastructure component, including secrets, can be version-controlled, reviewed, audited, and deployed automatically. This consistency makes it easy to:

  • Roll back secrets if necessary.

  • Audit changes.

  • Reproduce environments across clusters.

Operational Best Practices for Sealed Secrets
Key Rotation

The controller supports automatic key rotation. Best practices include:

  • Rotating keys every 30 to 90 days.

  • Backing up the old private keys securely.

  • Re-sealing secrets using kubeseal --re-encrypt.

Regular rotation ensures that even if a key is compromised, previously sealed secrets cannot be decrypted.

Backup and Disaster Recovery

Backup of both the controller’s private key and SealedSecrets manifests ensures complete recovery in case of disaster. The manifest itself is not sufficient, if the private key is lost, the secrets become unrecoverable. Therefore, store private keys securely in offline or vaulted systems.

Automation in CI/CD

You can automate Sealed Secret creation in CI/CD pipelines by:

  1. Fetching the public key dynamically.

  2. Creating Kubernetes Secrets via scripts.

  3. Sealing them using kubeseal.

  4. Committing the result to Git for GitOps sync.

No secret ever exists unsealed in logs or persistent storage. This security-by-default design makes Sealed Secrets one of the most GitOps-friendly solutions available.

Comparing Sealed Secrets with Traditional Secret Management

Unlike external vault solutions that require service accounts, complex access controls, or external dependencies, Sealed Secrets:

  • Run entirely within Kubernetes.

  • Require no third-party secret stores.

  • Fit seamlessly into GitOps and declarative workflows.

  • Offer high security through encryption and strict scoping.

While vaults are powerful and necessary for multi-environment secrets management, Sealed Secrets are simpler and purpose-built for GitOps use cases.

The Future of Sealed Secrets

As GitOps adoption grows, the demand for robust, developer-friendly secret management continues to rise. The Sealed Secrets project is rapidly evolving with:

  • Enhanced encryption options.

  • Improved multi-cluster support.

  • Advanced validation tools.

  • Better integration with GitOps controllers.

This makes Sealed Secrets a strong contender for default secret management in GitOps-native Kubernetes ecosystems.

Conclusion: Embrace Sealed Secrets for Secure, GitOps-First Kubernetes Secret Management

In today’s cloud-native, security-conscious world, managing secrets safely is no longer optional, it’s essential. Sealed Secrets offers a powerful solution for developers, DevOps teams, and platform engineers who want to integrate secrets into their GitOps workflow without compromising security.

It encrypts secrets before they’re ever committed, decrypts only within the cluster, and supports scoping, automation, and auditing, all while remaining intuitive and easy to use.

If your team manages Kubernetes at scale and values automation, transparency, and security, adopting Sealed Secrets could be one of the most impactful decisions you make for your platform.