Kubermatic SecureGuard
Secure and Automate How Your Teams Manage Secrets
Every modern platform runs on secrets: API keys, database passwords, certificates, and tokens. They unlock production systems, customer data, and AI workloads. They are also one of the easiest ways into your infrastructure.
Verizon, 2025 Data Breach Investigations Report
At the same time, secret handling drains engineering time, with developers losing an average of 3 hours per week dealing with manual secret management.
Secrets are both a security risk and an operational challenge. Kubermatic SecureGuard provides a Kubernetes-native way to manage them.
What is Kubermatic SecureGuard?
Kubermatic SecureGuard is an open-source secrets management platform that acts as a secure transport layer for secrets in cloud-native and traditional environments.
Built on OpenBao and integrated with the External Secrets Operator (ESO), KubeSG automates the full lifecycle of secrets, and delivers credentials directly into Kubernetes.
It brings open governance, transparency, and automation to one of the most critical layers of modern infrastructure: application identities.
Technical Foundations
As an open-source solution, KubeSG is built entirely on open-source components maintained by the community. This makes its security model transparent, auditable, and free from closed or proprietary modules.
OpenBao Core
A community-led, secure backend providing encryption-as-a-service, fine-grained access control, and immutable audit logs.
ESO Integration
KubeSG leverages the External Secrets Operator to synchronize secrets directly into Kubernetes. This allows developers to interact with standard Kubernetes Secret objects while the "heavy lifting" of synchronization and security happens in the background.
Key Features
OpenBao Core Engine
A community-led backend providing encryption-as-a-service, secure storage, and detailed audit logs.
ESO Integration
Use the External Secrets Operator to sync secrets directly into Kubernetes without requiring custom app SDKs.
"Breakage-Free" Rotation
Automate the update of database passwords and API keys without requiring application restarts.
Native Kubernetes Experience
Developers interact with standard Secret objects, making security invisible to their daily workflow.
Auto-Unsealing & Initialization
Eliminates manual overhead by automatically managing the secrets backend lifecycle across cloud providers.
Highly Customizable
Adjusts to your organizational structure, supporting various storage backends (S3, GCS, Azure, Raft) and authentication methods.
Key Benefits
Automated Lifecycle & "Breakage-Free" Rotation
KubeSG automates the entire lifecycle: storage, delivery, rotation, and auditing. Because it integrates natively with Kubernetes, it enables breakage-free secret rotation. Applications receive updated credentials automatically without requiring a manual restart or code changes.
Built for the AI Era
As organizations deploy Large Language Models (LLMs), managing AI API keys and tokens becomes a critical risk. KubeSG provides a centralized vault to store and rotate AI-specific secrets, ensuring your sensitive prompts and data streams remain protected.
Native Experience, No SDKs
We believe security should be invisible to the developer. KubeSG delivers secrets natively within Kubernetes. There are no proprietary SDKs to learn, and no app rewrites required. Just secure, identity-based access to the data your code needs.
Open Governance & Cost Efficiency
Proprietary tools impose restrictive licensing and “black box” security modules. KubeSG is transparent and community-driven. This eliminates vendor lock-in and significantly lowers the Total Cost of Ownership (TCO) compared to enterprise-licensed alternatives.
Designed for real-world teams
Security & Platform teams
Gain a single place to define policies, audit access, and reduce blast radius.
DevOps teams
Automate secret delivery and rotation instead of running tickets and scripts.
Developers
Simply get the secrets they need, inside Kubernetes, and stay focused on shipping code.
Security & Platform teams
Gain a single place to define policies, audit access, and reduce blast radius.
DevOps teams
Automate secret delivery and rotation instead of running tickets and scripts.
Developers
Simply get the secrets they need, inside Kubernetes, and stay focused on shipping code.
For details about the benefits of KubeSG for different teams, please see our full whitepaper.
In sum: More Security, More Transparency
Kubermatic SecureGuard is the open, Kubernetes-native alternative to the status quo. It is designed for organizations that refuse to choose between the speed of automation and the security of a hardened, transparent vault.
Secure and automate how your teams manage secrets. Keep them safe with open-source transparency.
About Kubermatic
Kubermatic is a leader in Kubernetes and cloud-native technologies, dedicated to empowering organizations with advanced solutions that simplify and optimize IT management. Our products are designed to meet the needs of modern enterprises, providing the tools and support necessary to drive innovation and achieve business success. Reach out to us on the button below for more information about Kubermatic solutions!