Project

kubekrypt

0.0
No release in over a year
kubekryptknapo/kubekryptHomepageDocumentationSource CodeBug TrackerWiki
KubeKrypt provides seamless encryption and decryption of Kubernetes Secret menifests using Google Cloud KMS
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
2,140
Stars
2
Forks
0
Watchers
2
 Releases
Current version
2.2.2
Total releases
7
First release
1980-01-02
Latest release
2025-03-21
 Issues
Open Issues
0
Closed Issues
1
Total Issues
1
Issue Closure Rate
100%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
4
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2025-12-27
Reverse Dependencies
0

 Dependencies

Runtime

google-cloud-kms
>= 0
thor
>= 1.0
yaml
>= 0
grpc
>= 0
 Project Readme

Gem Version Ruby CI

KubeKrypt

A command-line tool for encrypting and decrypting Kubernetes Secret manifests using Google Cloud KMS.

Secret manifests can be safely committed to version control in their encrypted form and decrypted on demand — either to inspect values or to pipe directly into kubectl.

Installation

gem install kubekrypt

Or add it to your Gemfile:

gem "kubekrypt"

Requirements

  • Ruby >= 3.4
  • A Google Cloud KMS key with cloudkms.cryptoKeyVersions.useToEncrypt / useToDecrypt permissions

Authentication

KubeKrypt delegates authentication to the google-cloud-kms gem. Set one of the following environment variables:

Variable Description
GOOGLE_APPLICATION_CREDENTIALS Path to a service account JSON key file
GOOGLE_CLOUD_CREDENTIALS Path to JSON file, or JSON contents inline

Application Default Credentials (e.g. gcloud auth application-default login) are also supported.

Usage

Encrypt a Secret

kubekrypt encrypt secret.yaml \
  -k projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key \
  > secret.enc.yaml

Overwrite the file in place with --in-place / -i:

kubekrypt encrypt -i secret.yaml -k projects/my-project/...

Encrypt every Secret in a directory:

kubekrypt encrypt secrets/ -k projects/my-project/...

Each value under data is encrypted individually using KMS and prefixed with enc:. A kubekrypt metadata block is embedded in the output to record the KMS key used and the version:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
data:
  token: enc:CiQAjMDkZ3...
kubekrypt:
  kms_key: projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key
  version: 2.1.1
  modified_at: "2026-03-24T10:00:00Z"

Decrypt a Secret

kubekrypt decrypt secret.enc.yaml > secret.yaml

Or in place:

kubekrypt decrypt -i secret.enc.yaml

Decrypt every Secret in a directory:

kubekrypt decrypt -i secrets/

The KMS key is read from the embedded kubekrypt metadata — no need to specify it again.

Decrypt and apply directly with kubectl

Kubernetes Secret data values must be base64-encoded. Use --base64 to have KubeKrypt re-encode the decrypted values before output:

kubekrypt decrypt --base64 secret.enc.yaml | kubectl apply -f -

Check version

kubekrypt version

How it works

Encryption:

  1. Reads the YAML file and validates it is not already encrypted.
  2. Calls Google Cloud KMS to encrypt each value in the data map.
  3. Stores ciphertext as enc:<base64> in place of the original value.
  4. Appends a kubekrypt metadata block with the KMS key name, gem version, and timestamp.
  5. Prints the resulting YAML to stdout.

Decryption:

  1. Reads the kubekrypt metadata block to determine which KMS key to use.
  2. Calls Google Cloud KMS to decrypt each enc:<base64> value.
  3. Strips the kubekrypt metadata block from the output.
  4. Prints the resulting YAML to stdout (optionally with base64-encoded values via --base64).

Security

KubeKrypt never stores or logs key material. All cryptographic operations are performed by Google Cloud KMS — plaintext values exist only transiently in memory during a command invocation.

Contributing

Pull requests are welcome. Please make sure bundle exec rake ci passes before submitting.

License

MIT — see LICENSE for details.