Container Security19 min read0 views

Secrets Management in Containers: Vault, SOPS, and Sealed Secrets

Comprehensive guide to container secrets management in 2026. Deep comparison of HashiCorp Vault (Agent Injector, CSI driver, dynamic secrets), SOPS (encrypted GitOps secrets), Sealed Secrets (Kubernetes-native encryption), External Secrets Operator (multi-cloud), and Kubernetes native secrets with encryption at rest. Covers secret rotation, zero-trust delivery, audit trails, and the architecture patterns that prevent credential leaks in containerized environments.

David Olowatobi

David Olowatobi

Cloud Security Architect · July 10, 2026

Secrets Management in Containers: Vault, SOPS, and Sealed Secrets

Key Takeaways

  • Kubernetes Secrets are base64-encoded, not encrypted. Without enabling encryption at rest (EncryptionConfiguration), anyone with etcd access can read every secret in the cluster by simply base64-decoding the values. This is the most commonly misunderstood security control in Kubernetes.
  • HashiCorp Vault is the most comprehensive secrets management platform, providing dynamic secrets (credentials generated on-demand with automatic expiration), fine-grained access policies, a complete audit trail, and encryption as a service. The trade-off is operational complexity — Vault itself requires high availability, unsealing procedures, and ongoing maintenance.
  • SOPS (Secrets OPerationS) encrypts secret values in-place within YAML, JSON, or ENV files while leaving keys and structure visible. This makes encrypted secrets compatible with GitOps workflows — you can store encrypted secrets in Git, review diffs of key names (not values), and decrypt at deployment time using KMS keys.
  • The External Secrets Operator (ESO) is the emerging standard for multi-cloud secrets management in Kubernetes. It synchronizes secrets from external stores (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Vault) into native Kubernetes Secrets, giving applications a consistent interface regardless of cloud provider.
  • Secret rotation is where most organizations fail. Having a secrets manager is necessary but not sufficient — you need automated rotation policies that generate new credentials, update the secret store, and restart dependent workloads without human intervention. Vault dynamic secrets solve this by design: every credential has a TTL and is never reused.

Secrets in containers — API keys, database credentials, TLS certificates, encryption keys, service account tokens — are the most targeted assets in any container environment. A leaked secret does not just compromise one container. It compromises every system that secret can access. A database credential leak exposes your entire database. A cloud IAM key leak exposes your cloud account. An encryption key leak renders all your encrypted data accessible.

The challenge with container secrets is that containers are ephemeral, horizontally scaled, and deployed through automated pipelines. Traditional secret management approaches (storing credentials in configuration files, passing them as environment variables, hard-coding them in application code) do not work in environments where containers are created and destroyed hundreds of times per day across multiple clusters.

This guide covers every major approach to container secrets management: Kubernetes native Secrets (and their limitations), HashiCorp Vault (the full-featured platform), SOPS and Sealed Secrets (GitOps-compatible encryption), the External Secrets Operator (multi-cloud synchronization), and the operational practices that prevent credential leaks.

Kubernetes Secrets: Understanding the Reality

Kubernetes Secrets are the built-in mechanism for managing sensitive data. They are commonly misunderstood — many teams believe Kubernetes Secrets are encrypted. They are not. By default, Kubernetes Secrets are stored in etcd as base64-encoded plaintext. Base64 is an encoding format, not an encryption algorithm. Anyone with access to etcd can decode every secret instantly.

The Five Problems with Default Kubernetes Secrets

ProblemDetailsImpact
Not encrypted at restStored as base64 in etcd. Decoding requires no key or passwordetcd backup files contain all secrets in readable form. Any etcd compromise exposes all cluster secrets.
Broad RBAC accessAny user or service account with get permission on Secrets can read all secrets in the namespaceA compromised pod with secret read access can harvest credentials for every service in its namespace.
No audit trail by defaultKubernetes audit logging records secret access, but audit logging is often not enabled or not monitoredNo visibility into who accessed which secrets or when. Cannot detect credential theft after a breach.
No rotation mechanismKubernetes provides no built-in secret rotation. Secrets are static until manually updatedLeaked credentials remain valid indefinitely until someone manually rotates them. Average time to detect a credential leak: 327 days.
Visible in pod spec and envSecrets injected as environment variables appear in pod definitions, docker inspect output, and process listingsSecrets leak through debugging tools, crash dumps, log aggregation, and kubectl describe output.

Enabling Encryption at Rest

The minimum security improvement for Kubernetes Secrets is enabling encryption at rest via the EncryptionConfiguration API. This encrypts Secrets before writing them to etcd using AES-CBC or AES-GCM encryption with a key you manage (or a KMS provider like AWS KMS, Azure Key Vault, or GCP KMS).

With KMS provider integration, the encryption key itself is never stored in the Kubernetes cluster — the API server sends the data encryption key (DEK) to the KMS provider for wrapping/unwrapping. This means even a complete etcd compromise does not expose secrets if the attacker does not also have access to the KMS provider.

HashiCorp Vault: The Complete Platform

Vault is the most feature-rich secrets management platform available. It goes far beyond storing and retrieving static secrets — Vault generates dynamic credentials on-demand, manages PKI certificate issuance, provides encryption as a service, and maintains a detailed audit log of every secret access.

Vault's Key Capabilities

CapabilityHow It WorksWhy It Matters for Containers
Dynamic secretsVault generates unique credentials (database users, cloud IAM keys, certificates) on-demand with automatic TTL-based expirationEvery pod gets a unique database credential that expires automatically. No shared credentials, no manual rotation, no persistent secrets to leak.
Secret leasing and renewalEvery secret has a TTL (time-to-live). Applications renew leases or receive new credentials before expiryLeaked credentials are automatically invalidated when the TTL expires. Maximum blast radius is limited to the lease duration.
Fine-grained policiesVault policies specify which authentication identities can access which secret paths with which operationsThe web application can only read its own database credential, not the payment service credential. Policies follow least privilege.
Audit loggingEvery secret read, write, renewal, and revocation is logged with the requesting identity, timestamp, and operationComplete forensic trail showing who accessed which secret and when. Detects unauthorized access patterns.
Encryption as a service (Transit)Applications send plaintext to Vault's transit engine, receive ciphertext back. Applications never handle encryption keys.Simplifies application-level encryption without managing keys in application code or environment variables.
PKI engineIssues X.509 certificates for service-to-service TLS. Short-lived certificates with automatic renewalmTLS for container communication without managing a separate PKI infrastructure. Certificates expire in hours, not years.

Vault in Kubernetes: Delivery Methods

There are three ways to deliver Vault secrets to Kubernetes pods:

MethodHow It WorksProsCons
Vault Agent InjectorMutating webhook injects a Vault Agent init container and sidecar container into annotated pods. Agent authenticates to Vault, retrieves secrets, writes them as files in a shared volumeNo application code changes. Secrets rendered as files. Automatic rotation via sidecar. Mature and battle-testedAdds sidecar container to every pod (memory/CPU overhead). Requires Vault annotations on pod specs
Vault CSI ProviderUses the Kubernetes Secrets Store CSI Driver to mount Vault secrets as volumes. No sidecar requiredNo sidecar overhead. Standard CSI volume interface. Can sync to native K8s Secrets for env var consumptionNo automatic rotation without periodic polling. Requires CSI driver installation
Application-direct (SDK)Application uses Vault SDK/API to authenticate and retrieve secrets directlyFull control over secret lifecycle. Access to all Vault features. No middleware componentsRequires application code changes. Must implement retry, caching, and renewal logic
Secrets Management Tools — Capability Matrix Dynamic Rotation Audit GitOps Multi-Cloud Complexity Cost Vault Yes Auto Full Partial Yes High OSS/Ent SOPS No Manual Git Native Yes Low Free Sealed Secrets No Manual Git Native No Low Free ESO No Sync Store CRD Yes Med Free K8s Native No None None No No None Free Recommended: Vault (dynamic secrets) + ESO (sync) or SOPS (GitOps) — never rely on K8s Secrets alone
Secrets management tool comparison across key capabilities. Vault provides the most comprehensive feature set, while SOPS and Sealed Secrets excel for GitOps-compatible encrypted secrets storage.

SOPS: Encrypted Secrets for GitOps

SOPS (Secrets OPerationS) takes a fundamentally different approach from Vault. Instead of running a separate secret management server, SOPS encrypts secret values directly within your configuration files. The encrypted files can be committed to Git, reviewed in pull requests (you can see which keys changed but not the values), and decrypted at deployment time.

How SOPS Works

SOPS encrypts only the values in a structured file (YAML, JSON, ENV, INI) while leaving keys, comments, and structure visible. The encryption keys come from cloud KMS providers (AWS KMS, GCP KMS, Azure Key Vault), age keys, or PGP keys.

A SOPS-encrypted file looks like this: the keys (database_host, database_password, api_key) are visible in plaintext, but the values are replaced with encrypted ciphertext. This visibility is intentional — it allows code review of which secrets are being changed without exposing the actual values.

SOPS in Practice

Workflow StepWhat HappensWho Has Access
Developer edits secretsDeveloper uses sops edit to decrypt file in-memory, make changes, and re-encrypt on saveDeveloper needs access to the KMS key (IAM-controlled)
Commit to GitEncrypted file is committed. PR review shows which keys changedAnyone can see the file structure, no one can read values
CI/CD pipelinePipeline decrypts SOPS file using KMS credentials, creates Kubernetes SecretPipeline service account needs KMS key access
DeploymentDecrypted secret is applied to the cluster as a native Kubernetes SecretOnly pods with RBAC access can read the secret

SOPS works well with ArgoCD and Flux (popular GitOps controllers) through plugins that decrypt SOPS-encrypted manifests before applying them to the cluster.

Sealed Secrets: Kubernetes-Native Encryption

Sealed Secrets (by Bitnami) is a Kubernetes controller that encrypts Secret manifests using asymmetric cryptography. You encrypt a Kubernetes Secret using the cluster's public key (via the kubeseal CLI), producing a SealedSecret custom resource. Only the Sealed Secrets controller running in the target cluster has the private key to decrypt it.

How Sealed Secrets Differ from SOPS

DimensionSealed SecretsSOPS
ScopeKubernetes Secrets onlyAny YAML, JSON, ENV, or INI file
Encryption backendCluster-specific RSA key pair (controller generates and stores the private key)Cloud KMS (AWS, GCP, Azure), age, PGP
Multi-clusterEach cluster has its own key pair. Secrets encrypted for one cluster cannot be decrypted by anotherSame KMS key can be used across clusters and environments
Key managementController manages keys automatically. Must backup the private key for disaster recoveryKMS provider manages key lifecycle, rotation, and access control
Diff visibilityEntire encrypted blob changes — diffs are not human-readableOnly changed values differ — keys remain visible for review
GitOps compatibilityNative — SealedSecret CRD is committed to Git, controller decrypts in-clusterRequires plugin (kustomize-sops, argocd-vault-plugin) for GitOps controller integration

External Secrets Operator: Multi-Cloud Sync

The External Secrets Operator (ESO) synchronizes secrets from external secret management systems into native Kubernetes Secrets. It supports all major secret stores: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, CyberArk, 1Password, and more.

Why ESO Is Becoming the Standard

ESO solves the multi-cloud secret management problem. Instead of modifying applications to use each cloud provider's SDK, ESO pulls secrets from the external store and creates standard Kubernetes Secrets. Your applications consume secrets through the same Kubernetes API regardless of whether the underlying store is AWS, Azure, GCP, or Vault.

Key ESO concepts:

  • SecretStore / ClusterSecretStore — defines the connection to the external secret management system (provider, authentication, endpoint). SecretStore is namespace-scoped, ClusterSecretStore is cluster-scoped.
  • ExternalSecret — defines which secrets to synchronize from the external store, how to map them into the Kubernetes Secret, and the refresh interval for automatic synchronization.
  • Refresh interval — ESO polls the external store at the configured interval (default: 1 hour) and updates the Kubernetes Secret if the external value has changed. This provides automatic rotation without application changes.

Architecture Patterns with ESO

PatternArchitectureBest For
Cloud-native directESO syncs directly from AWS Secrets Manager / Azure Key Vault / GCP Secret ManagerSingle-cloud Kubernetes deployments. Simplest architecture, leverages existing cloud IAM.
Vault hub with ESOVault serves as the central authority. ESO syncs from Vault to Kubernetes Secrets in each clusterMulti-cloud deployments. Vault provides unified policy and dynamic secrets, ESO handles delivery.
Vault + cloud-native hybridDynamic secrets from Vault, static config from cloud-native store, both synced via ESOOrganizations migrating to Vault. Allows gradual adoption without disrupting existing workflows.

Secret Rotation: Where Most Programs Fail

Having a secrets manager is necessary but not sufficient. The value of secrets management diminishes dramatically if credentials are never rotated. A leaked credential that is rotated within 24 hours affects one day of operations. A leaked credential that is never rotated affects everything from the moment of creation until someone discovers the leak — which takes an average of 327 days.

Rotation Strategies

StrategyHow It WorksToolsComplexity
Vault dynamic secretsEvery credential request generates a new, unique credential with a TTL. Expired credentials are automatically revoked. No rotation needed because credentials are never reusedVault database secrets engine, AWS secrets engine, PKI engineMedium — requires Vault deployment but rotation is inherent
Cloud-native rotationAWS Secrets Manager and Azure Key Vault offer built-in rotation using Lambda functions or Azure Functions that generate new credentials and update the storeAWS Secrets Manager rotation, Azure Key Vault rotation policiesLow to medium — managed service handles rotation, you write the Lambda/Function
External Secrets Operator refreshESO polls the external store at a configurable interval. When the external value changes (after rotation in the store), ESO updates the Kubernetes SecretESO with refreshInterval: 5m or similarLow — rotation happens in the external store, ESO propagates the change
Manual rotation with automationAutomation script generates new credentials, updates the secret store, and triggers rolling restarts of dependent deploymentsCustom scripts, Ansible, TerraformHigh — error-prone, needs scheduling, must handle dual-credential window
Secret Delivery Flow — External Store to Kubernetes Pod External Store Vault / AWS SM Azure KV / GCP SM Source of truth ESO Controller ExternalSecret CRD Polls at interval Auto-sync changes K8s Secret Native Secret object Encrypted at rest RBAC-protected Application Pod Volume mount (file) Not env vars Least privilege SA Database Dynamic cred TTL expiry Auto-revoke Rotation cycle: new credential generated → external store updated → ESO syncs → pod receives new secret
The modern secret delivery flow: external stores serve as the source of truth, the External Secrets Operator synchronizes to Kubernetes, pods consume secrets as file mounts, and rotation happens automatically through the same pipeline.

Operational Practices for Container Secrets

The Secret Security Checklist

Apply these practices to every containerized environment:

PracticePriorityImplementation
Never hard-code secrets in images or codeCriticalUse pre-commit hooks (detect-secrets, git-secrets) to scan for credentials before they reach Git. Run Trivy or gitleaks in CI to catch secrets that bypass hooks.
Mount as files, not environment variablesCriticalUse volumeMounts for Kubernetes Secrets. Environment variables appear in process listings, container inspect, and crash dumps. Files are only visible to processes that read them.
Enable Kubernetes encryption at restCriticalConfigure EncryptionConfiguration with AES-GCM or KMS provider. Verify with etcdctl that secrets are encrypted.
Apply least-privilege RBAC for secretsHighOnly service accounts that need specific secrets should have RBAC access. Never grant wildcard access to secrets in a namespace.
Rotate credentials automaticallyHighUse Vault dynamic secrets (preferred) or cloud-native rotation. Target maximum credential lifetime: 24 hours for dynamic, 90 days for static.
Audit secret accessHighEnable Kubernetes audit logging at Request level for secrets. Forward to SIEM. Alert on unexpected secret reads.
Use external secret storesHighDeploy ESO or Vault Agent. Never treat Kubernetes Secrets as the source of truth — they should be synchronized from an external store.
Scan for leaked secretsMediumRun secret scanning tools against Git repositories, container images, and deployment manifests. Tools: detect-secrets, gitleaks, Trivy secret scanning.

Secret Breach Response

When a secret is leaked or suspected to be compromised, follow this response sequence:

  1. Revoke immediately — disable the leaked credential at the source (revoke API key, disable database user, rotate TLS certificate). Do not wait for investigation.
  2. Issue new credentials — generate replacement credentials and update the secret store. If using ESO or Vault Agent, the new credentials propagate automatically.
  3. Audit access — review Kubernetes audit logs and Vault audit logs to determine if the leaked credential was used maliciously. Check access patterns (unusual times, unusual source IPs, bulk data access).
  4. Determine root cause — how did the secret leak? Code commit? Log entry? Environment variable exposure? Container image layer? This determines which preventive control needs strengthening.
  5. Implement prevention — add the specific detection pattern to pre-commit hooks and CI scanning. If the leak vector was a systemic issue (all env vars), fix the delivery mechanism (migrate to file mounts).

The key principle: credential rotation is faster than investigation. Revoke first, investigate second. A 10-minute delay in revoking a compromised credential while you investigate can result in significantly more damage than the temporary disruption of rotating the credential.

Frequently Asked Questions

If you operate in a single cloud, the native secret manager (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) is simpler to operate and deeply integrated with IAM. If you operate across multiple clouds or need advanced features like dynamic secrets, encryption as a service, PKI certificate issuance, or SSH key signing, Vault provides capabilities that cloud-native managers do not. Many organizations use both: Vault as the central authority for dynamic secrets and policy management, synced to cloud-native managers via the External Secrets Operator for applications that consume secrets through the native cloud SDK.

David Olowatobi

David Olowatobi

Cloud Security Architect

Network & Cloud Security

David is a network security engineer and cloud security architect with seven years of experience securing enterprise infrastructure. He holds deep expertise in AWS, Azure, and GCP security architecture, having designed and hardened cloud environments for Fortune 500 companies. His focus is on delivering practical, scalable security solutions that protect businesses without sacrificing performance.

You Might Also Like

Docker Security Best Practices: Hardening Containers in Production
Container Security20 min read

Docker Security Best Practices: Hardening Containers in Production

Field-tested Docker hardening guide for 2026. Covers minimal base images, rootless containers, seccomp and AppArmor profiles, Docker Content Trust, build-time security (multi-stage builds, secret handling, layer optimization), runtime protections (read-only filesystems, resource limits, capability dropping), Docker Bench for Security scoring, and a complete CIS Docker Benchmark implementation checklist.

David Olowatobi
David Olowatobi

June 15, 2026

0
Kubernetes Security: RBAC, Network Policies, and Pod Security Standards
Container Security21 min read

Kubernetes Security: RBAC, Network Policies, and Pod Security Standards

Complete Kubernetes security guide for 2026. Covers RBAC design patterns (ClusterRole vs Role, service account hardening, least-privilege bindings), Network Policies (Calico, Cilium, default-deny architectures), Pod Security Standards (Baseline, Restricted, migration from PSP), admission controllers (OPA Gatekeeper, Kyverno), API server hardening, etcd encryption, audit logging, and the CIS Kubernetes Benchmark.

David Olowatobi
David Olowatobi

July 5, 2026

0
Free Newsletter

Stay Ahead of Cyber Threats

Get weekly cybersecurity insights and practical tips. No spam, just actionable advice to keep you safe.