Skip to content

cloudflare/lockbox

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Lockbox

https://pkg.go.dev/badge/github.com/cloudflare/lockbox.png

Lockbox is a secure way to store Kubernetes Secrets offline. Secrets are asymmetrically encrypted, and can only be decrypted by the Lockbox Kubernetes controller. A companion CLI tool, locket, makes encrypting secrets a one-step process.

Features

  • Secure encryption using modern cryptography. Uses Salsa20, Poly1305, and Curve25519.
  • Secrets are locked to specific namespaces.
  • All Kubernetes Secret types are supported.
  • Plays nicely with Secrets created by other controllers.
  • Continuously reconciles child resources.

Example Usage

Create a native Secret, but pass --dry-run to avoid submitting to the API.

$ kubectl create secret generic mysecret --namespace default \
  --from-literal=foo=bar --dry-run -o yaml > mysecret.yaml

Then, use locket to encrypt the secret.

$ locket -f mysecret.yaml > mylockbox.yaml

Submit the lockbox to the API.

$ kubectl create -f mylockbox.yaml

Remove the unencrypted secret.

$ rm mysecret.yaml