diff --git a/nix/configuration/roles/kubernetes/default.nix b/nix/configuration/roles/kubernetes/default.nix
index 711f41e..e19b660 100644
--- a/nix/configuration/roles/kubernetes/default.nix
+++ b/nix/configuration/roles/kubernetes/default.nix
@@ -28,6 +28,21 @@ let
   alias_klog = pkgs.writeShellScriptBin "klog" ''
     exec ${pkgs.kubectl}/bin/kubectl logs --all-containers "$@"
   '';
+  decrypt_k8s_secret =
+    (pkgs.writeScriptBin "decrypt_k8s_secret" (builtins.readFile ./files/decrypt_k8s_secret.bash))
+    .overrideAttrs
+      (old: {
+        buildCommand = "${old.buildCommand}\n patchShebangs $out";
+        buildInputs = [ pkgs.makeWrapper ];
+        postBuild = ''
+          wrapProgram $out/bin/decrypt_k8s_secret --prefix PATH : ${
+            lib.makeBinPath [
+              pkgs.kubectl
+              pkgs.jq
+            ]
+          }
+        '';
+      });
 in
 {
   imports = [ ];
@@ -55,6 +70,7 @@ in
           alias_kdel
           alias_kd
           alias_klog
+          decrypt_k8s_secret
         ];
 
         environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
diff --git a/nix/configuration/roles/kubernetes/files/decrypt_k8s_secret.bash b/nix/configuration/roles/kubernetes/files/decrypt_k8s_secret.bash
new file mode 100644
index 0000000..6f4ee87
--- /dev/null
+++ b/nix/configuration/roles/kubernetes/files/decrypt_k8s_secret.bash
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+#
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+kubectl get secret -o json "${@}" | jq '.data[] |= @base64d | .data'