Kubernetes-native secret manager with Zero-Knowledge encryption for GitOps workflows
zen-lock is a Kubernetes controller that implements Zero-Knowledge secret storage. ZenLock CRDs store only ciphertext (source-of-truth). During Pod injection, zen-lock decrypts in the webhook and creates an ephemeral Kubernetes Secret containing plaintext, which is mounted into the Pod.
Protect ephemeral Secrets via RBAC and etcd encryption-at-rest. Perfect for GitOps workflows where encrypted manifests can be safely committed to Git.
ZenLock CRDs store only ciphertext - API server/etcd cannot read the encrypted payload
Decrypted secrets stored in ephemeral Kubernetes Secrets, cleaned up when Pods terminate
Encrypted manifests can be safely committed to Git repositories
Uses standard CRDs and Mutating Webhooks - no external databases required
Uses modern, easy-to-use encryption (age) by default
Restrict secret access to specific ServiceAccounts for fine-grained control
zen-lock keygen --output private-key.age
zen-lock encrypt \ --pubkey $(cat public-key.age) \ --input secret.yaml \ --output encrypted-secret.yaml
kubectl apply -f encrypted-secret.yaml # Annotate Pod with zen-lock/inject: "secret-name"
zen-lock is coming soon! Check out the repository and feel free to contribute.