Credential access
Handles secret manifests and cluster public keys; input files may contain sensitive values.
brew
Kubernetes controller and tool for one-way encrypted Secrets. Version 0.38.4 via Homebrew; verified 2026-07-04.
agent safety
kubeseal transforms Kubernetes secrets and is tied to cluster secret-management workflows.
Handles secret manifests and cluster public keys; input files may contain sensitive values.
Does not usually mutate clusters directly, but output is intended for cluster application.
Can produce sealed secret artifacts committed or deployed to clusters.
Gate commands that read plaintext secret files or write deployable sealed secrets.
Allow public-key fetches; require approval before processing plaintext secrets or writing manifests.
install
brew install kubeseallocal Homebrew formula metadata
sudo port install kubesealMacPorts ports tree · sysutils/kubeseal/Portfile · source: api.github.com
sudo apk add kubesealAlpine Linux edge package indexes · kubeseal · source: dl-cdn.alpinelinux.org
nix profile install nixpkgs#kubesealnixpkgs package indexes · pkgs/by-name/ku/kubeseal/package.nix · source: api.github.com
sudo pacman -S kubesealArch Linux sync databases · kubeseal · source: geo.mirror.pkgbuild.com
sudo zypper install kubesealopenSUSE Tumbleweed package metadata · kubeseal · source: download.opensuse.org
scoop install main/kubesealScoop official bucket manifest trees · bucket/kubeseal.json · source: api.github.com
overview
Kubernetes controller and tool for one-way encrypted Secrets
history
kubeseal is the client-side utility for Bitnami Sealed Secrets, a Kubernetes controller and custom resource pattern for storing encrypted Secrets safely in Git.
Sealed Secrets addresses the GitOps-era problem of managing Kubernetes configuration in version control while keeping Secret values encrypted. The project is split into a cluster-side controller/operator and the kubeseal CLI. kubeseal uses asymmetric cryptography to encrypt a Kubernetes Secret into a SealedSecret custom resource that only the target cluster's controller can decrypt.
kubeseal became a common companion tool for teams that wanted declarative Kubernetes deployments without introducing an external secret store into every workflow. Its release notes and README document distribution through Homebrew, MacPorts, Nixpkgs, Linux binaries, and controller manifests.
A typical workflow creates or exports a Kubernetes Secret manifest, pipes it through kubeseal, commits the resulting SealedSecret YAML, and lets the in-cluster controller unseal it back into a normal Kubernetes Secret.
kubeseal is package-nerd interesting because the CLI is only half of the product: the packaged binary must line up with a CRD/controller deployed in the cluster. It also turned a security-sensitive Kubernetes workflow into a small Unix-friendly command-line transform.
security posture
broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
kubeseal | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/bitnami/sealed-secrets
install metadata
| Package key | brew:kubeseal |
|---|---|
| Version | 0.38.4 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/kubeseal |
| Homepage | https://github.com/bitnami/sealed-secrets |
| Repository | https://github.com/bitnami/sealed-secrets |
| Upstream docs | https://github.com/bitnami-labs/sealed-secrets/blob/main/README.md |
| License | Apache-2.0 |
| Source archive | https://github.com/bitnami/sealed-secrets.git |
| Last updated | 2026-07-04T16:53:43+09:00 |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | kubeseal |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
kubeseal
nix profile install nixpkgs#kubesealkubeseal 0.37.0-r0
A Kubernetes controller and tool for one-way encrypted Secrets
https://github.com/bitnami-labs/sealed-secrets
sudo apk add kubesealkubeseal-doc 0.37.0-r0
A Kubernetes controller and tool for one-way encrypted Secrets (documentation)
https://github.com/bitnami-labs/sealed-secrets
sudo apk add kubeseal-dockubeseal 0.35.0-2
A Kubernetes controller and tool for one-way encrypted Secrets
https://github.com/bitnami-labs/sealed-secrets
sudo pacman -S kubesealkubeseal 0.37.0-1.1
CLI for encrypting secrets to SealedSecrets
https://github.com/bitnami-labs/sealed-secrets
sudo zypper install kubesealkubeseal
sudo port install kubesealmain/kubeseal
scoop install main/kubesealsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.