The Sealed Secrets controller in action. The controller uses a random cryptographic nonce when encryption is done, further hardening the system. kubeseal is the CLI tool used by an end user to interact do the encryption. (Figure 7-2). Figure 7-2: The kubeseal workflow. Chapter 7 – Handling Secrets The Path to GitOps | 39 You can also provide a public key in the CLI for “offline” encryption, where This alternative is useful for automation. Sealed Secrets supports automatic rotation of the encryption keys and, optionally, deprecation of past keys. Challenges of Storing Encrypted Secrets Storing