← all formulae

kubeseal

brew install kubeseal v0.38.1 Apache-2.0

Go command-line tool to encrypt Kubernetes Secrets into SealedSecrets that only a cluster controller can decrypt.

Why you might care

Enables GitOps workflows by making it safe to store encrypted secrets in version control alongside your cluster config. The kubeseal CLI encrypts secrets client-side using a cluster-specific public key; only the in-cluster controller with the private key can decrypt them, so you never commit plaintext secrets or manage keys manually.

Categories

kubernetes encryption security

Alternatives

kustomize external-secrets Vault

2.3k

30-day installs · #898

5.9k

90-day · #1018

23.6k

365-day · #990

9.2k

★ GitHub stars · updated 2d ago

Build dependencies

go

GitHub topics

devops-workflow encrypt-secrets gitops kubernetes kubernetes-secrets

Links

https://github.com/bitnami-labs/sealed-secrets
GitHub: bitnami-labs/sealed-secrets
Brew formula source: Formula/k/kubeseal.rb

Blurb generated by claude-haiku-4-5 on today.

Raw metadata

{
  "aliases": [],
  "alternatives": [
    "kustomize",
    "external-secrets",
    "Vault"
  ],
  "build_dependencies": [
    "go"
  ],
  "categories": [
    "kubernetes",
    "encryption",
    "security"
  ],
  "caveats": null,
  "conflicts_with": [],
  "dependencies": [],
  "deprecated": 0,
  "deprecation_reason": null,
  "desc": "Kubernetes controller and tool for one-way encrypted Secrets",
  "disable_reason": null,
  "disabled": 0,
  "enrichment_fetched_at": "2026-06-20T23:41:11+00:00",
  "first_seen": "2026-06-20T23:34:18+00:00",
  "full_name": "kubeseal",
  "github_default_branch": "main",
  "github_last_commit_at": "2026-06-18T13:15:48Z",
  "github_readme_excerpt": "# \"Sealed Secrets\" for Kubernetes\n\n[![](https://img.shields.io/badge/install-docs-brightgreen.svg)](#Installation)\n[![](https://img.shields.io/github/release/bitnami/sealed-secrets.svg)](https://github.com/bitnami/sealed-secrets/releases/latest)\n[![](https://img.shields.io/homebrew/v/kubeseal)](https://formulae.brew.sh/formula/kubeseal)\n[![Build Status](https://github.com/bitnami/sealed-secrets/actions/workflows/ci.yml/badge.svg)](https://github.com/bitnami/sealed-secrets/actions/workflows/ci.yml)\n[![](https://img.shields.io/github/v/release/bitnami/sealed-secrets?include_prereleases\u0026label=helm\u0026sort=semver)](https://github.com/bitnami/sealed-secrets/releases)\n[![Download Status](https://img.shields.io/docker/pulls/bitnami/sealed-secrets-controller.svg)](https://hub.docker.com/r/bitnami/sealed-secrets-controller)\n[![Go Report Card](https://goreportcard.com/badge/github.com/bitnami/sealed-secrets)](https://goreportcard.com/report/github.com/bitnami/sealed-secrets)\n![Downloads](https://img.shields.io/github/downloads/bitnami/sealed-secrets/total.svg)\n\n**Problem:** \"I can manage all my K8s config in git, except Secrets.\"\n\n**Solution:** Encrypt your Secret into a SealedSecret, which *is* safe\nto store - even inside a public repository. The SealedSecret can be\ndecrypted only by the controller running in the target cluster and\nnobody else (not even the original author) is able to obtain the\noriginal Secret from the SealedSecret.\n\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON\u0027T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n\n- [Overview](#overview)\n  - [SealedSecrets as templates for secrets](#sealedsecrets-as-templates-for-secrets)\n  - [Public key / Certificate](#public-key--certificate)\n  - [Scopes](#scopes)\n- [Installation](#installation)\n  - [Installation in Restricted Environments (No RBAC)](#installation-in-restricted-environments-no-rbac)\n  - [Controller](#controller)\n    - [Kustomize](#kustomize)\n    - [Helm Char",
  "github_repo": "bitnami-labs/sealed-secrets",
  "github_stars": 9157,
  "github_topics": [
    "devops-workflow",
    "encrypt-secrets",
    "gitops",
    "kubernetes",
    "kubernetes-secrets"
  ],
  "homepage": "https://github.com/bitnami-labs/sealed-secrets",
  "homepage_og_description": null,
  "homepage_og_image": null,
  "homepage_title": null,
  "installs_30d": 2345,
  "installs_365d": 23609,
  "installs_90d": 5907,
  "keg_only": 0,
  "keg_only_reason": null,
  "last_seen": "2026-06-20T23:34:18+00:00",
  "license": "Apache-2.0",
  "llm_generated_at": "2026-06-20T23:47:44+00:00",
  "llm_model": "claude-haiku-4-5",
  "name": "kubeseal",
  "oldnames": [],
  "one_liner": "Go command-line tool to encrypt Kubernetes Secrets into SealedSecrets that only a cluster controller can decrypt.",
  "optional_dependencies": [],
  "rank_30d": 898,
  "rank_365d": 990,
  "rank_90d": 1018,
  "raw_hash": "77b23b9566686713",
  "recommended_dependencies": [],
  "revision": 0,
  "ruby_source_path": "Formula/k/kubeseal.rb",
  "tap": "homebrew/core",
  "test_dependencies": [],
  "uses_from_macos": [],
  "version_head": "HEAD",
  "version_stable": "0.38.1",
  "versioned_formulae": [],
  "why_use_this": "Enables GitOps workflows by making it safe to store encrypted secrets in version control alongside your cluster config. The kubeseal CLI encrypts secrets client-side using a cluster-specific public key; only the in-cluster controller with the private key can decrypt them, so you never commit plaintext secrets or manage keys manually."
}