Skip to content

cloudflare/lockbox

2 Branches2 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

hrushikeshdeshpandehrushikeshdeshpande
chore(workflow): update semgrep.yml docker image
Sep 25, 2024
b7bc038 · Sep 25, 2024

History

17 Commits
.github/workflows
.github/workflows
Sep 25, 2024
cmd
cmd
Feb 1, 2024
deployment
deployment
Dec 23, 2023
pkg
pkg
Feb 1, 2024
tools
tools
Dec 23, 2023
.dockerignore
.dockerignore
Dec 23, 2023
.gitignore
.gitignore
Dec 23, 2023
LICENSE
LICENSE
Nov 9, 2020
Makefile
Makefile
Dec 23, 2023
README.org
README.org
Nov 9, 2020
go.mod
go.mod
Feb 1, 2024
go.sum
go.sum
Feb 1, 2024

Repository files navigation

Lockbox

https://pkg.go.dev/badge/github.com/cloudflare/lockbox.png

Lockbox is a secure way to store Kubernetes Secrets offline. Secrets are asymmetrically encrypted, and can only be decrypted by the Lockbox Kubernetes controller. A companion CLI tool, locket, makes encrypting secrets a one-step process.

Features

  • Secure encryption using modern cryptography. Uses Salsa20, Poly1305, and Curve25519.
  • Secrets are locked to specific namespaces.
  • All Kubernetes Secret types are supported.
  • Plays nicely with Secrets created by other controllers.
  • Continuously reconciles child resources.

Example Usage

Create a native Secret, but pass --dry-run to avoid submitting to the API.

$ kubectl create secret generic mysecret --namespace default \
  --from-literal=foo=bar --dry-run -o yaml > mysecret.yaml

Then, use locket to encrypt the secret.

$ locket -f mysecret.yaml > mylockbox.yaml

Submit the lockbox to the API.

$ kubectl create -f mylockbox.yaml

Remove the unencrypted secret.

$ rm mysecret.yaml

About

Offline encryption of Kubernetes Secrets

Topics

kubernetes

Resources

Readme

License

BSD-3-Clause license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

177 stars

Watchers

11 watching

Forks

10 forks
Report repository

Releases

2 tags

Contributors 4

Languages