New to kubeseal; questions to further my understanding.

[IngwiePhoenix]

Hello there!

I am currently putting together my k3s cluster and I am quite deep in the organization of deployments; creds for cert-manager and external-secrets (API tokens, most of the time) as well as some fundamentals like private keys used in some other tools. Now, I would love to switch to GitOps instead of having the whole repository just live off my NAS storage - both as a means of backup as well as a means of being able to share things with others - and thus I ended up here.

I just read theough the whole readme, but I feel a little overwhelmed; so, just to make sure I got the key details right, would you mind confirming?

1. KubeSeal's private key lives only in the cluster.
2. Unless I manually grab the private key itself, it also never gets stored on my laptop (I often access my cluster via my laptop through a Headscale VPN while at school and work). So in order to encrypt a secret, the key is first obtained from the cluster, then used to encrypt the secret, and the output then made available to be stored (on stdout, as far as I can tell).
3. If my cluster goes kaputt for one reason or another, I will have to either restore a backup of the key that I took manually, or implement a backup solution (I think there is one called Velero?) myself - for instance, a scheduled CronJob that perhaps uses rclone to send the backup into my Proton Drive in addition to my NAS. If I ever lose the private key (as in, never took a backup of it), every single SealedSecret that I do not have in plain form anymore, is effectively a goner.
4. So far, I believe if I use .gitignore to exclude raw secrets (i.e. **.scr.yaml) but leave the generated SealedSecrets in the repo, I should be fine posting them online?

Thank you in advance, and apologies for the many questions! I have started to get the hang with k3s, but before putting any of my deployments online and implementing some CD (Fleet or something), I want to make sure I properly understood Kubeseal before accidentially leaking sensitive data.

Because, nobody likes roasted nuts. And even less, leaked creds. ;)

Kind regards,
Ingwie