{"id":43641658,"url":"https://github.com/sebidude/kubecrypt","last_synced_at":"2026-02-04T18:06:12.433Z","repository":{"id":57494181,"uuid":"173624487","full_name":"sebidude/kubecrypt","owner":"sebidude","description":"Helper for dealing with secrets in kubernetes.","archived":false,"fork":false,"pushed_at":"2024-01-10T10:21:13.000Z","size":167,"stargazers_count":23,"open_issues_count":1,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-06-19T04:24:48.082Z","etag":null,"topics":["ci-cd","client","crypto","kubernetes","pipeline","secrets"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sebidude.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-03T20:12:17.000Z","updated_at":"2024-01-10T10:21:31.000Z","dependencies_parsed_at":"2024-06-19T04:12:36.798Z","dependency_job_id":"ae29f4bc-7782-4751-85f0-003950d35ee9","html_url":"https://github.com/sebidude/kubecrypt","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/sebidude/kubecrypt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebidude%2Fkubecrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebidude%2Fkubecrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebidude%2Fkubecrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebidude%2Fkubecrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sebidude","download_url":"https://codeload.github.com/sebidude/kubecrypt/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sebidude%2Fkubecrypt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29092792,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-04T03:31:03.593Z","status":"ssl_error","status_checked_at":"2026-02-04T03:29:50.742Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-cd","client","crypto","kubernetes","pipeline","secrets"],"created_at":"2026-02-04T18:06:12.370Z","updated_at":"2026-02-04T18:06:12.428Z","avatar_url":"https://github.com/sebidude.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kubecrypt\n\nkubecrypt wants to help you to solve a bunch of problems when it comes to secrets.  \nThis project was inspired by [Bitnami Labs sealed-secrets](https://github.com/bitnami-labs/sealed-secrets) and the fact that I needed to solve some problems around storing secret data and use them in pipelining.  \n\nContributions are welcome. The code is working and tested manually. As this is a kubernetes client, I recommend to build the tool and deploy it with some docker image if you need to use it in your pipelines.  \n\nIt can do the following things:\n* list secrets for a namespace\n* print values from a secret\n* encrypt /decrypt data using a tls secret from the cluster\n* encrypt / decrypt all values for a map in a yaml file\n* convert a yaml map with encrypted values to a plain kubernetes secret\n* remove keys from a secret\n* update keys of a secret\n\n## Install\n\n```\ngo get github.com/sebidude/kubecrypt/...\ngo install github.com/sebidude/kubecrypt/cmd/kubecrypt\n```\n\n\n\n## Usage\n\nYou can always use the --help flag. Beside handling your secrets you can also use kubecrypt to quickly encrypt some text and share it with your co-workers via chat in a secure way. \n\nkubecrypt will lookup the `KUBECONFIG` environment variable to find the configuration for the kubernetes client. If the variable is empty it will lookup the default path `$HOME/.kube/config`. If a kubeconfig resides there, it will use this one. You have to set the environment variable `KUBECONFIG` if you want to use a config which is not located at the default path.  \nIf `KUBECONFIG` is not set and no configuration is found at the default path, kubecrypt will act as an in-cluster client and will use the token from the service-account of the context it is running in.\n\n### Init the kubecrypt secret with kubecrypt\nBy default kubecrypt will use a secret of type tls named `kubecrypt` in namespace `kubecrypt`. So first create the namespace `kubecrypt` and  then run init\n```\nkubectl create namespace kubecrypt\nkubecrypt init\n```\nIf you want to use a different namespace and secretname, you can tell kubecrypt with `-t`\n```\nkubecrypt -t testing/secretencryption init\n```\nThis will create a tls secret with name `secretencryption` in namespace `testing`. As kubecrypt has no config file you have to pass the `-t` option everytime if you don't use the default `kubecrypt/kubecrypt` with the `-t`flag. \n\n### Init the kubecrypt secret manually.\n\nIn case you don't want to use certs and key generated with kubecrypt, you can use openssl:\nGenerate a key and a self-signed cert for kubecrypt\n```\nopenssl genrsa -out tls.key 4096\nopenssl req -key tls.key -x509 -days 365 -out tls.crt -subj \"/C=XX/ST=Coruscant/L=Temple/O=Force/OU=Temple Admins/CN=Jedis\"\n```\n\nAdd the cert and key to the cluster\n```\nkubectl create namespace kubecrypt\nkubectl create secret tls kubecrypt -n kubecrypt --cert=tls.crt --key=tls.key\n```\n\nStore the key in a secret place!\n\n### Encrypt and Decrypt data\n\nYou can encrypt data using a tls secret from the cluster. The encrypted output is always base64 raw url encoded.\n\n```\n# encrypt to stdout\necho This is some data | kubecrypt enc\n\n# encrypt to a file\necho This is some data | kubecrypt enc -o encrypted.txt\n```\n\nDecrypt data this way\n```\n# decrypt from file\nkubecrypt dec -i encrypted.txt\n\n# decrypt from stdin\ncat encrypted.txt | kubecrypt dec\n\n# or\necho This is some data | kubecrypt enc | kubecrypt dec\n```\n\n---\n### Encrypt and decrypt values from a yaml map\n\nIf you have an input file in yaml format, you can encrypt or decrypt all members of a map with a given key. Note the this will only work with string values.\n\nExample yaml file unsafe.yaml:\n\n```yaml\ndata:\n  password: f0oB4r\n  key: mykey\napp:\n  values:\n    port: \"8080\"\n    path: \"/home\"\n  secrets:\n    dbpass: dbpassword\n    apikey: some-super-secret-key\n```\n\nNow encrypt all values for the keys in the map `data`:\n\n```\n# from stdin\ncat unsafe.yaml | kubecrypt yaml -e -k data\n\n# from file\nkubecrypt yaml -e -k data -i unsafe.yaml\n\n# from file to output file\nkubecrypt yaml -e -k data -i unsafe.yaml -o safe.yaml\n\n# descend deeper into some map\nkubecrypt yaml -i unsafe.yaml -e -k app.secrets -o safe.yaml\n```\n\nIf you skip the `-e` flag, the input will be decrypted\n\n```\nkubecrypt yaml -i safe.yaml -k data\n```\n\n---\n### Convert the values from a encrypted yaml map to a kubernetes secret\n\n```\nkubecrypt convert mysecret -i safe.yaml -k data -o mysecret.yaml\n```\n\n---\n### Create an encrypted yaml map from a kubernetes secret\n\nwith `--dry-run` and `--from-file=-`\n```\nkubectl create secret generic --dry-run foobar --from-file=somefile.json -o yaml | kubecrypt convert -e -k mykey foobar --from-file=-\n```\n\nor \n\n```\nkubectl create secret generic --dry-run foobar --from-file=somefile.json -o yaml \u003e mysecret.yaml\nkubecrypt convert -e -k mykey foobar --from-file=mysecret.yaml\nkubecrypt convert -e -k mykey foobar -f mysecret.yaml\n```\n\n---\n### Update and remove keys from kubernetes secrets in cluster\n\nUpdate a key of an existing secret, if the key doesn't exist it will be added to the secret\n\n```\nkubecrypt update -k foo=bar -k token=updatedToken mysecret\n```\n\nRemove a key from secret\n```\nkubecrypt update -r foo mysecret\n```\n\n### Backup the cert and key for kubecrypt\nTo create a backup of the key and cert simply load them from the cluster:\n\n```\n# backup to textfile\nkubecrypt get -n kubecrypt kubecrypt \u003e kubecrypt.backup.txt\n\n# backup to yamlfile\nkubecrypt convert kubecrypt -e -n kubecrypt -k secret | kubecrypt yaml -k secret \u003e kubecrypt.yaml\n\n# backup to kubernetes secret\nkubectl get secret -n kubecrypt kubecrypt -o yaml \u003e kubecrypt.secret.yaml\n\n# backup to key and cert file\nkubecrypt get -n kubecrypt kubecrypt -k tls.key \u003e kubecrypt.key\nkubecrypt get -n kubecrypt kubecrypt -k tls.crt \u003e kubecrypt.crt\n\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsebidude%2Fkubecrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsebidude%2Fkubecrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsebidude%2Fkubecrypt/lists"}