Sealed Secrets

GitOps

A Kubernetes controller and CLI that lets you store encrypted secrets safely in git by sealing them into SealedSecret resources which only the cluster-side controller can decrypt.

Track releases GitHub

Go Latest v0.37.0 · 13d ago Security brief →

Features

Encrypts Kubernetes Secrets into SealedSecret CRDs for safe storage in version control
Controller running in the target cluster is the sole entity able to decrypt sealed secrets
Supports multiple installation methods: Helm, Kustomize, Homebrew, MacPorts, Nixpkgs, Linux binary and source builds
Provides `kubeseal` CLI for sealing secrets locally before applying them

Recent releases

View all 14 releases →

Review required

v0.37.0 Mixed 13d

Go bump + dependency updates + OCI fix

Open

v0.36.4 Maintenance 1mo

Updated Kubernetes integration test matrix to latest 1.33, 1.34, and 1.35 patch versions for compatibility verification.

View release on GitHub

v0.36.2 Security relevant 1mo

⚠ Upgrade required

Release notes reference RELEASE-NOTES.md for important upgrade information from previous releases

Security fixes

Bumped golang.org/x/crypto from 0.48.0 to 0.49.0 (cryptographic library update with potential security implications)

View release on GitHub

v0.36.1 Bug fix 2mo

Fixed OCI push action, explicitly specified TCP protocol for Helm Server-Side Apply compatibility, improved multi-namespace support, and removed helm deprecation notices.

View release on GitHub

v0.36.0 Security relevant 3mo

Security fixes