|
| 1 | +--- |
| 2 | +title: "Sealed Secrets as Secret Management" |
| 3 | +date: "2025-03-31" |
| 4 | +--- |
| 5 | + |
| 6 | +| status: | date: | decision-makers: | |
| 7 | +| --- | --- | --- | |
| 8 | +| proposed | 2025-03-31 | Kasper Møller | |
| 9 | + |
| 10 | +## Context and Problem Statement |
| 11 | + |
| 12 | +Managing secrets in Kubernetes is a critical aspect of ensuring the security of sensitive data such as API keys, passwords, and certificates. Kubernetes Secrets, while convenient, store data in plaintext by default, which poses a security risk. To increase security of the sensitive data at rest, encryption is necessary. |
| 13 | + |
| 14 | +### Do i need it |
| 15 | + |
| 16 | +If it is possible to use a cloud-provided security management tool (e.g., AWS KMS, Azure Key Vault, or GCP KMS), it is recommended to use those tools for secret management. However, when cloud-based solutions are not viable, a robust and secure alternative is required to manage secrets effectively. |
| 17 | + |
| 18 | +### The criterias of making a choice |
| 19 | + |
| 20 | +* **Security:** Is there sensitive data that requires stronger protection than Kubernetes' default base64 encoding? |
| 21 | +* **Scalability:** What is the scale of the application, and how many secrets need to be managed? |
| 22 | +* **Expertise:** What level of experience does the team have with secret management tools? |
| 23 | + |
| 24 | +## Considered Options |
| 25 | + |
| 26 | +* **SOPS:** A simple and lightweight tool for managing secrets. It encrypts YAML, JSON, ENV, INI and BINARY files using a variety of backends (e.g., AWS KMS, GCP KMS, Azure Key Vault, age, and PGP). |
| 27 | +* **Sealed Secrets:** A Kubernetes-native solution that encrypts secrets using a controller and a public/private key pair. It is simple to use but tightly coupled to Kubernetes. |
| 28 | +* **HashiCorp Vault:** A feature-rich secret management solution. |
| 29 | + |
| 30 | +## Decision Outcome |
| 31 | + |
| 32 | +Chosen option: **Sealed Secrets**, because of the simple integration in the Kubernetes cluster and the management of encryption and decryption. |
| 33 | + |
| 34 | +**Sealed Secrets** is an open-source solution provided by Bitnami that encrypts secrets using a public/private key pair. The encrypted secrets can be safely stored in version control systems like Git, ensuring secure collaboration and auditability. The decryption happens inside the Kubernetes cluster, where the private key is securely managed by the **Sealed Secrets** controller. |
| 35 | + |
| 36 | +**Sealed Secrets** also supports secret rotation, with a default rotation period of 30 days. However, manual intervention is required to re-encrypt existing secrets. Additionally, since **Sealed Secrets** retains all private keys for decryption, it is necessary to manually remove legacy keys once all secrets have been updated. |
| 37 | + |
| 38 | +### Consequences |
| 39 | + |
| 40 | +* **Good, because:** |
| 41 | + * Seamless integration with Kubernetes clusters. |
| 42 | + * Secrets can be safely stored in Git repositories. |
| 43 | + * Simplifies the encryption and decryption process. |
| 44 | + * Option of rotation the public/private key pair. |
| 45 | + |
| 46 | +* **Bad, because:** |
| 47 | + * Manual tasks to update secrets to latest encryption could be an issue in larger projects if no strategy is made. |
0 commit comments