Project

kubekrypt

0.0
The project is in a healthy, maintained state
kubekryptknapo/kubekryptHomepageDocumentationSource CodeBug TrackerWiki
KubeKrypt provides seamless encryption and decryption of Kubernetes Secret menifests using Google Cloud KMS
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
714
Stars
2
Forks
0
Watchers
2
 Releases
Current version
2.0.1
Total releases
2
First release
2025-03-18
Latest release
2025-03-21
 Issues
Open Issues
0
Closed Issues
1
Total Issues
1
Issue Closure Rate
100%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
1
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2025-03-19
Reverse Dependencies
0

 Dependencies

Runtime

google-cloud-kms
>= 0
thor
~> 1.0
yaml
>= 0
 Project Readme

Gem Version

KubeKrypt

A command-line tool for securely encrypting and decrypting Kubernetes Secret manifests using Google Cloud KMS encryption keys.

Overview

KubeKrypt provides a simple and secure way to manage sensitive information in Kubernetes Secret manifests. It allows you to encrypt Secret manifests before they're stored in version control systems, and decrypt them when they need to be applied to a cluster.

Features

  • Secure Encryption: Uses Google Cloud KMS to encrypt sensitive data in Kubernetes Secret manifests
  • Simple Interface: Easy-to-use CLI commands for encryption and decryption
  • Metadata Tracking: Embeds metadata in encrypted files for tracking and verification
  • Stdout Integration: Outputs to standard out for easy piping and redirection
  • Base64 Processing: Automatically handles base64 encoding/decoding under the hood, maintaining compatibility with Kubernetes Secret format

Installation

kubecrypt uses google-cloud-kms and it requires an environment variable to be set in order to authenticate and work properly. You need one of:

  • GOOGLE_CLOUD_CREDENTIALS - Path to JSON file, or JSON contents
  • GOOGLE_APPLICATION_CREDENTIALS - Path to JSON file

Usage

Encrypting a Secret

kubekrypt encrypt secret.yaml -k projects/your-project/locations/global/keyRings/your-keyring/cryptoKeys/your-key > secret.enc.yaml

Decrypting a Secret

kubekrypt decrypt secret.enc.yaml > secret.yaml

Piping to kubectl

kubekrypt decrypt --base64 secret.enc.yaml | kubectl apply -f -

Checking Version

kubekrypt version

How It Works

  1. KubeKrypt reads your Kubernetes Secret YAML file

  2. For encryption, it:

    • Validates that it's a proper Kubernetes Secret
    • Ensures it's not already encrypted
    • Decodes base64 values to get raw data
    • Uses Google Cloud KMS to encrypt sensitive data
    • Re-encodes with base64 as needed
    • Adds metadata about the encryption
    • Outputs the encrypted YAML

  3. For decryption, it:

    • Verifies the file contains KubeKrypt encryption metadata
    • Uses the embedded information to decrypt the data
    • Handles all necessary base64 encoding/decoding
    • Outputs the original Secret YAML

Security

KubeKrypt never stores encryption keys locally. All encryption and decryption operations are performed using Google Cloud KMS, ensuring that key material is never exposed.

Requirements

  • Ruby 3.4+
  • Access to a KMS key with appropriate permissions

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the MIT License - see the LICENSE file for details.