Skip to content

cloudflare/lockbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
deployment
deployment
 
 
pkg
pkg
 
 
tools
tools
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.org
README.org
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

Lockbox

https://pkg.go.dev/badge/github.com/cloudflare/lockbox.png

Lockbox is a secure way to store Kubernetes Secrets offline. Secrets are asymmetrically encrypted, and can only be decrypted by the Lockbox Kubernetes controller. A companion CLI tool, locket, makes encrypting secrets a one-step process.

Features

  • Secure encryption using modern cryptography. Uses Salsa20, Poly1305, and Curve25519.
  • Secrets are locked to specific namespaces.
  • All Kubernetes Secret types are supported.
  • Plays nicely with Secrets created by other controllers.
  • Continuously reconciles child resources.

Example Usage

Create a native Secret, but pass --dry-run to avoid submitting to the API.

$ kubectl create secret generic mysecret --namespace default \
  --from-literal=foo=bar --dry-run -o yaml > mysecret.yaml

Then, use locket to encrypt the secret.

$ locket -f mysecret.yaml > mylockbox.yaml

Submit the lockbox to the API.

$ kubectl create -f mylockbox.yaml

Remove the unencrypted secret.

$ rm mysecret.yaml

About

Offline encryption of Kubernetes Secrets

Topics

kubernetes

Resources

Readme

License

BSD-3-Clause license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

175 stars

Watchers

12 watching

Forks

10 forks
Report repository

Releases

2 tags

Contributors 4

Languages