Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/cloudflare/lockbox

Offline encryption of Kubernetes Secrets
https://github.com/cloudflare/lockbox

kubernetes

Last synced: 26 days ago
JSON representation

Offline encryption of Kubernetes Secrets

Lists

README 

        
#+TITLE: Lockbox



[[https://pkg.go.dev/github.com/cloudflare/lockbox][https://pkg.go.dev/badge/github.com/cloudflare/lockbox.png]]



Lockbox is a secure way to store Kubernetes Secrets offline. Secrets are asymmetrically encrypted, and can only be decrypted by the Lockbox Kubernetes controller. A companion CLI tool, =locket=, makes encrypting secrets a one-step process.



** Features

+ Secure encryption using modern cryptography. Uses Salsa20, Poly1305, and Curve25519.

+ Secrets are locked to specific namespaces.

+ All Kubernetes Secret types are supported.

+ Plays nicely with Secrets created by other controllers.

+ Continuously reconciles child resources.



** Example Usage

Create a native Secret, but pass =--dry-run= to avoid submitting to the API.



#+begin_example

$ kubectl create secret generic mysecret --namespace default \

  --from-literal=foo=bar --dry-run -o yaml > mysecret.yaml

#+end_example



Then, use locket to encrypt the secret.



#+begin_example

$ locket -f mysecret.yaml > mylockbox.yaml

#+end_example



Submit the lockbox to the API.



#+begin_example

$ kubectl create -f mylockbox.yaml

#+end_example



Remove the unencrypted secret.



#+begin_example

$ rm mysecret.yaml

#+end_example