Install the Sealed Secrets controller in the cluster via its Helm chart or released manifest; the controller generates an RSA key pair and stores the private key in a cluster Secret
Install the `kubeseal` CLI; fetch the controller's public key certificate with `kubeseal --fetch-cert > pub-cert.pem` and commit it to the repo for offline sealing
Seal a Secret manifest with `kubeseal --cert pub-cert.pem --format yaml < secret.yaml > sealed-secret.yaml`; commit the SealedSecret to Git
Apply the SealedSecret to the cluster — the controller decrypts it using its private key and creates a matching regular Kubernetes Secret
Scope sealed secrets to a specific namespace and name with `--scope namespace-wide` or `--scope strict` to prevent cross-namespace reuse
Back up the controller's private key Secret regularly so it can be restored if the cluster is rebuilt
Known gotchas
SealedSecrets are scoped by default to a specific namespace and Secret name — a SealedSecret sealed for namespace A cannot be applied in namespace B without re-sealing
If the controller's private key is lost (e.g., cluster rebuild without backup), all existing SealedSecrets become permanently unreadable
The controller does not auto-rotate its key pair; implement a manual rotation process and re-seal all secrets after rotation to avoid the old key becoming a long-lived liability
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp