# Install kubeseal with Homebrew, apk, MacPorts, Nix, pacman, scoop, zypper

Kubernetes controller and tool for one-way encrypted Secrets. Version 0.38.4 via Homebrew; verified 2026-07-04.

## Install

```sh
sudo av install brew:kubeseal
```

## Agent safety answer

kubeseal transforms Kubernetes secrets and is tied to cluster secret-management workflows.

- **Credential access:** Handles secret manifests and cluster public keys; input files may contain sensitive values.
- **Remote mutation:** Does not usually mutate clusters directly, but output is intended for cluster application.
- **Publish/artifact risk:** Can produce sealed secret artifacts committed or deployed to clusters.
- **Recommended control:** Gate commands that read plaintext secret files or write deployable sealed secrets.
- **Agent-use guidance:** Allow public-key fetches; require approval before processing plaintext secrets or writing manifests.

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install kubeseal
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install kubeseal
```

  Evidence: MacPorts ports tree: sysutils/kubeseal/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add kubeseal
```

  Evidence: Alpine Linux edge package indexes: kubeseal from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#kubeseal
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ku/kubeseal/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S kubeseal
```

  Evidence: Arch Linux sync databases: kubeseal from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install kubeseal
```

  Evidence: openSUSE Tumbleweed package metadata: kubeseal from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Scoop (92%):

```sh
scoop install main/kubeseal
```

  Evidence: Scoop official bucket manifest trees: bucket/kubeseal.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:kubeseal
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/kubeseal>
- **Version:** 0.38.4
- **Source summary:** Kubernetes controller and tool for one-way encrypted Secrets
- **Homepage:** <https://github.com/bitnami/sealed-secrets>
- **Repository:** <https://github.com/bitnami/sealed-secrets>
- **Upstream docs:** <https://github.com/bitnami-labs/sealed-secrets/blob/main/README.md>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/bitnami/sealed-secrets.git>
- **Last updated:** 2026-07-04T16:53:43+09:00
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- kubeseal (cli)
- kubeseal (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.38.4
- Package-manager updated: 2026-07-04
- Local data: ok
- Upstream repository: https://github.com/bitnami/sealed-secrets
- info: No cached GitHub release or tag data was available.
## Project history and usage

kubeseal is the client-side utility for Bitnami Sealed Secrets, a Kubernetes controller and custom resource pattern for storing encrypted Secrets safely in Git.

### Project history

Sealed Secrets addresses the GitOps-era problem of managing Kubernetes configuration in version control while keeping Secret values encrypted. The project is split into a cluster-side controller/operator and the kubeseal CLI. kubeseal uses asymmetric cryptography to encrypt a Kubernetes Secret into a SealedSecret custom resource that only the target cluster's controller can decrypt.

### Adoption history

kubeseal became a common companion tool for teams that wanted declarative Kubernetes deployments without introducing an external secret store into every workflow. Its release notes and README document distribution through Homebrew, MacPorts, Nixpkgs, Linux binaries, and controller manifests.

### How it is used

A typical workflow creates or exports a Kubernetes Secret manifest, pipes it through kubeseal, commits the resulting SealedSecret YAML, and lets the in-cluster controller unseal it back into a normal Kubernetes Secret.

### Why package nerds care

kubeseal is package-nerd interesting because the CLI is only half of the product: the packaged binary must line up with a CRD/controller deployed in the cluster. It also turned a security-sensitive Kubernetes workflow into a small Unix-friendly command-line transform.

### Timeline

- 2026: The v0.38.1 release page listed controller installation YAML and kubeseal client binaries, including Homebrew instructions for macOS.

### Related projects

- Related tools and patterns include Kubernetes Secrets, GitOps controllers such as Argo CD and Flux, external-secrets operators, SOPS, and cloud KMS-backed secret-management workflows.

### Sources

- <https://github.com/bitnami-labs/sealed-secrets/blob/main/README.md>
- <https://github.com/bitnami-labs/sealed-secrets/releases>


## Security Notes

broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- broad file, network, media, or database tool signal
- infrastructure mutation or orchestration signal

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** kubeseal
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - kubeseal: normalized package name match | nixpkgs package indexes: pkgs/by-name/ku/kubeseal/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - kubeseal - 0.37.0-r0: normalized package name match | Alpine Linux edge package indexes: kubeseal from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | A Kubernetes controller and tool for one-way encrypted Secrets | https://github.com/bitnami-labs/sealed-secrets
- apk - kubeseal-doc - 0.37.0-r0: normalized package name match | Alpine Linux edge package indexes: kubeseal-doc from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | A Kubernetes controller and tool for one-way encrypted Secrets (documentation) | https://github.com/bitnami-labs/sealed-secrets
- pacman - kubeseal - 0.35.0-2: normalized package name match | Arch Linux sync databases: kubeseal from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | A Kubernetes controller and tool for one-way encrypted Secrets | https://github.com/bitnami-labs/sealed-secrets
- zypper - kubeseal - 0.37.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: kubeseal from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | CLI for encrypting secrets to SealedSecrets | https://github.com/bitnami-labs/sealed-secrets
- MacPorts - kubeseal: normalized package name match | MacPorts ports tree: sysutils/kubeseal/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Scoop - main/kubeseal: normalized package name match | Scoop official bucket manifest trees: bucket/kubeseal.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [ksops](https://www.automicvault.com/pkg/brew/ksops/) - Shares av.db curated category or tags: cli, kubernetes, secrets, security.
- [gator](https://www.automicvault.com/pkg/brew/gator/) - Shares av.db curated category or tags: cli, kubernetes, security.
- [kube-bench](https://www.automicvault.com/pkg/brew/kube-bench/) - Shares av.db curated category or tags: cli, kubernetes, security.
- [kubehound](https://www.automicvault.com/pkg/brew/kubehound/) - Shares av.db curated category or tags: cli, kubernetes, security.
- [kubescape](https://www.automicvault.com/pkg/brew/kubescape/) - Shares av.db curated category or tags: cli, kubernetes, security.
- [blackbox](https://www.automicvault.com/pkg/brew/blackbox/) - Shares av.db curated category or tags: cli, encryption, secrets, security.
- [fnox](https://www.automicvault.com/pkg/brew/fnox/) - Shares av.db curated category or tags: cli, encryption, secrets, security.
- [git-crypt](https://www.automicvault.com/pkg/brew/git-crypt/) - Shares av.db curated category or tags: cli, encryption, secrets, security.

## Combined YAML source

View the package source record on GitHub. [combined/kubeseal.yml](https://github.com/automic-vault/db/blob/main/combined/kubeseal.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
- curated agent safety answer
