A new open-source project has been launched to make it easier to encrypt Kubernetes secrets. To enable this the project Secreter consists of two components. The first is a CLI tool that encrypts secrets and stores them outside of the Kubernetes cluster. The second is a Kubernetes operator for both creating and decrypting Kubernetes secrets.
Secrets that have been encrypted by the Secreter CLI can only be decrypted by the Encrypted Secrets Controller. According to the team, using Secreter in combination with Secret Data at Rest will create a situation in which “secrets are known in their raw format only to the workloads they are explicitly bound to inside the cluster.”
Specific attributes of Secreter are that it features envelope encryption, is diff-friendly, separates concerns and duties, and has a non-interactive CLI.
According to the team, the main goal behind creating Secreter was to provide a Kubernetes-native set of tools that offered a secure and protected way of managing secrets.
“Some investigation showed that there are various approaches to managing secrets in Kubernetes world but all of them are complex multi-step systems implying a lot of manual preparatory work hence prone to introducing fragility and human errors. Many approaches suggest encrypting whole files whereas all is needed is encrypting the data map values,” the project’s GitHub page states.
They also wanted to avoid both legacy cryptography algorithms and shiny new algorithms that didn’t yet have a proven track record. The project encrypts all data using envelope (hybrid) encryption using AEAD.
The project is currently in alpha.