how can I locally decrypt already sealed secrets?

Question

I have a question in regards to using sealed-secrets .

SealedSecrets solution solves the issue we’ve got: be able to store secrets in our version control. However, we want to be able to re-generate the plain secret file from a sealed-secret file (an already encrypted file by kubeseal). Usecase: you go to an existing repo, clone it and you want to see what are the actual secret values from your local machine.

• Is it possible to accomplish this with kubeseal?
• If not, how do you recommend to achieve such behaviour? Maybe an integration with a cloud secret manager, for instance?

As I understand, it goes against the purpose of sealed secrets, given that I want to decrypt outside of the kubernetes controller. But I hope that the use-case makes sense and I get some recommendations on how to achieve that.

Answer 1

Yes, you can only decrypt by downloading sealed-secrets-key. So you can do same as controller does. You have to have access to namespace where Sealed Secrets is installed.

Just check if kubectl pods or kubectl nodes show resources on right cluster and:

kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealed-secrets-key.yaml

kubeseal --controller-name=sealed-secrets --controller-namespace=sealed-secrets < /tmp/sealed-secret.yaml --recovery-unseal --recovery-private-key sealed-secrets-key.yaml -o yaml

/tmp/sealed-secret.yaml is your file that is in version control system. You can also find any sealed secret at: kubectl get sealedsecrets -A and pass it.

Reference:

https://github.com/bitnami-labs/sealed-secrets#will-you-still-be-able-to-decrypt-if-you-no-longer-have-access-to-your-cluster