Secure Kubernetes Secrets with GPG and kubectl

GPG encryption with kubectl isn’t just about hiding secrets. It’s about making every push, pull, apply, and update safe without slowing you down. When Kubernetes manifests contain sensitive data, a single misconfiguration can expose tokens, passwords, and internal URLs. Encrypting with GPG before it even touches your cluster means those secrets never sit around in the open.

The workflow is straightforward. Store secrets as YAML files, encrypt them with gpg --encrypt, commit to version control, and only decrypt on a trusted local machine or in a secure CI/CD pipeline right before running kubectl apply. There’s no reason to let .env files, ConfigMaps, or Secrets float unencrypted between repos and environments.

Done right, kubectl and GPG operate as a single unit. Developers can commit encrypted Kubernetes resource files, review them in PRs without exposing values, and control who can decrypt by managing GPG keys. Access control becomes as simple as key distribution. When you rotate keys, you instantly change who can manage secrets in your clusters.

Avoid common mistakes: never check unencrypted files into Git, never keep private keys on shared machines, and never decrypt in places you don’t fully trust. Use automation to enforce GPG encryption before applying anything to Kubernetes. You should be able to run kubectl without ever seeing the raw secret values.

Speed does not need to kill security. You can set up a system where onboarding a new engineer takes minutes, key rotation takes seconds, and applying updates is frictionless. This is how kubectl and GPG should work: security by default, speed by design.

You can see this live in minutes. Hoop.dev can run your secure kubectl workflows now—encrypted from end to end, without changing how you work. Try it and watch secure deployments happen in real time.