DEV Community

loading...

Sekret: Encryption tool for Kubernetes Secrets

nownabe profile image nownabe ・2 min read

Sekret is a CLI tool to encrypt and edit Kubernetes Secrets. Sekret makes management and deployment for Secret secure and simple.

Motivations

  • want version controlled Secret like other resources (e.g., deployments)
  • want to commit encrypted Secret YAMLs
  • want to edit encrypted Secret YAMLs easily
  • want to apply decrypted Secret YAMLs easily

Functionalities

  • Encrypt plain YAMLs
  • Decrypt encrypted YAMLs
  • Create new encrypted Secret YAMLs
  • Edit encrypted Secret YAMLs as plain text

Demo

asciicast

Installation

You can get Sekret with go get.

go get github.com/nownabe/sekret
Enter fullscreen mode Exit fullscreen mode

Also, you can download binaries from GitHub Releases.

curl -sSL -o /path/to/sekret https://github.com/nownabe/sekret/releases/download/v1.1.0/sekret_linux_amd64
chmod +x /path/to/sekret
Enter fullscreen mode Exit fullscreen mode

Usage

sekret command is used following subcommands enc / dec / new / edit.

sekret subcommand [options] filename
Enter fullscreen mode Exit fullscreen mode

The environment variable ENCRYPTION_KEY is used as the encryption key for all subcommands. Encryption keys must be 16 or 32 bytes. EDITOR variable specifies the editor for new and edit subcommands. Command options can also specify them.

Encrypt

Following commands encrypt secret.yaml and then commit it on Git.

$ export ENCRYPTION_KEY=$(cat /dev/urandom | base64 | fold -32 | head -1)
$ sekret enc secret.yaml > secret.yaml.enc
$ git add secret.yaml.enc
$ git commit
Enter fullscreen mode Exit fullscreen mode

Decrypt

Easy to decrypt and apply Secrets.

$ sekret dec secret.yaml.enc | kubectl apply -f -
Enter fullscreen mode Exit fullscreen mode

Create New Encrypted Secrets

new subcommand creates a new encrypted Secret YAMLs.

$ export EDITOR=vim
$ sekret new secret.yaml.enc
Enter fullscreen mode Exit fullscreen mode

sekret new opens specified editor with the Secret template like following YAML.

apiVersion: v1
data:
  Key: Value
kind: Secret
metadata:
  creationTimestamp: null
  name: new-secret
type: Opaque
Enter fullscreen mode Exit fullscreen mode

Values of data must be encoded as base64 in Kubernetes Secrets, but sekret encodes and decodes automatically on opening and saving them. So you can write YAML as completely plain text. If you want to edit as base64, use --decode-base64=false option.

Sekret validates before saving YAML, so it doesn't save YAML when invalid.

Edit Encrypted Secrets

You can edit encrypted Secret YAML like plaintexts with edit subcommand.

$ sekret edit secret.yaml.enc
Enter fullscreen mode Exit fullscreen mode

sekret edit opens decrypted and base64 decoded YAML in the specified editor. When the editor is closed, it saves encrypted and base64 encoded YAML. Of course, it validates YAML before saving.

Conclusion

Sekret makes lifecycle of Sekret very simple and secure. It is effortless to manage and deploy Secret YAML.

Discussion (0)

pic
Editor guide