Lockbox is a secure way to store Kubernetes Secrets offline. Secrets are asymmetrically encrypted, and can only be decrypted by the Lockbox Kubernetes controller. A companion CLI tool, locket, makes encrypting secrets a one-step process.
- Secure encryption using modern cryptography. Uses Salsa20, Poly1305, and Curve25519.
- Secrets are locked to specific namespaces.
- All Kubernetes Secret types are supported.
- Plays nicely with Secrets created by other controllers.
- Continuously reconciles child resources.
Create a native Secret, but pass --dry-run to avoid submitting to the API.
$ kubectl create secret generic mysecret --namespace default \ --from-literal=foo=bar --dry-run -o yaml > mysecret.yaml
Then, use locket to encrypt the secret.
$ locket -f mysecret.yaml > mylockbox.yaml
Submit the lockbox to the API.
$ kubectl create -f mylockbox.yaml
Remove the unencrypted secret.
$ rm mysecret.yaml