Skip to content
Latchkey

What Is a Sealed Secret?

A sealed secret is a secret encrypted with a public key so the ciphertext can be committed to version control without exposing the value. A controller running in the cluster holds the private key and decrypts it into a normal secret at apply time. This lets secrets live in a GitOps repo alongside other manifests.

Why it matters

Sealed secrets make it safe to manage secrets through Git-based CI/CD without plaintext in the repo. Only the target cluster can unseal them, so a leaked repo does not leak the values.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →