Giters

jcrugzz / lockbox

Offline encryption of Kubernetes Secrets

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Lockbox

https://pkg.go.dev/badge/github.com/cloudflare/lockbox.png

Lockbox is a secure way to store Kubernetes Secrets offline. Secrets are asymmetrically encrypted, and can only be decrypted by the Lockbox Kubernetes controller. A companion CLI tool, locket, makes encrypting secrets a one-step process.

Features

  • Secure encryption using modern cryptography. Uses Salsa20, Poly1305, and Curve25519.
  • Secrets are locked to specific namespaces.
  • All Kubernetes Secret types are supported.
  • Plays nicely with Secrets created by other controllers.
  • Continuously reconciles child resources.

Example Usage

Create a native Secret, but pass --dry-run to avoid submitting to the API.

$ kubectl create secret generic mysecret --namespace default \
  --from-literal=foo=bar -o yaml > mysecret.yaml

Then, use locket to encrypt the secret.

$ locket -f mysecret.yaml > mylockbox.yaml

Submit the lockbox to the API.

$ kubectl create -f mylockbox.yaml

Remove the unencrypted secret.

$ rm mysecret.yaml

About

Offline encryption of Kubernetes Secrets

License:BSD 3-Clause "New" or "Revised" License

Languages

Language:Go 98.2%Language:Nix 1.8%