diff --git a/sealed-secrets/README.md b/sealed-secrets/README.md
new file mode 100644
index 0000000..4ce5bb4
--- /dev/null
+++ b/sealed-secrets/README.md
@@ -0,0 +1,31 @@
+# Sealed Secrets
+
+[Sealed Secrets] is a tool for Kubernetes that allows administrators to
+store secret data securely in manifest files.  It is designed to solve
+one of the most difficult problems with GitOps workflows: all Kubernetes
+resources can be stored in YAML files in a Git repository, except for secrets.
+*Sealed Secrets* works by encrypting the actual secret values using asymmetric
+encryption; the `kubeseal` client encypts the data with the public key, and the
+Sealed Secrets controller decrypts them using its private key.  Administrators
+only interact with SealedSecret objects, which can be committed to Git, shared
+with other administrators, etc.
+
+The Sealed Secrets controller can be installed easily:
+
+```sh
+kubectl apply -k sealed-secrets
+```
+
+To create new SealedSecret manifests, install the `kubeseal` command from
+https://github.com/bitnami-labs/sealed-secrets/releases
+
+```sh
+kubectl --dry-run=client create secret generic \
+    -o yaml \
+    -n home-assistant mosquitto \
+    --from-file passwd=home-assistant/mosquitto.passwd \
+    | kubeseal -o yaml \
+    > home-assistant/secrets.yaml
+```
+
+[Sealed Secrets]: https://github.com/bitnami-labs/sealed-secrets#readme
diff --git a/sealed-secrets/kustomization.yaml b/sealed-secrets/kustomization.yaml
new file mode 100644
index 0000000..df42275
--- /dev/null
+++ b/sealed-secrets/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.1/controller.yaml