diff --git a/src/libs/protocols/Cargo.toml b/src/libs/protocols/Cargo.toml
index 9c0033d17e..eb20a9c772 100644
--- a/src/libs/protocols/Cargo.toml
+++ b/src/libs/protocols/Cargo.toml
@@ -9,6 +9,7 @@ license = "Apache-2.0"
 default = []
 with-serde = [ "serde", "serde_json" ]
 async = ["ttrpc/async", "async-trait"]
+sealed-secret = []
 
 [dependencies]
 ttrpc = { version = "0.7.1" }
diff --git a/src/libs/protocols/build.rs b/src/libs/protocols/build.rs
index af0dc691ea..ac7fb5cbdc 100644
--- a/src/libs/protocols/build.rs
+++ b/src/libs/protocols/build.rs
@@ -204,6 +204,8 @@ fn real_main() -> Result<(), std::io::Error> {
                 "protos/agent.proto",
                 "protos/health.proto",
                 "protos/image.proto",
+                #[cfg(feature = "sealed-secret")]
+                "protos/sealed_secret.proto",
             ],
             true,
         )?;
@@ -211,6 +213,11 @@ fn real_main() -> Result<(), std::io::Error> {
         fs::rename("src/agent_ttrpc.rs", "src/agent_ttrpc_async.rs")?;
         fs::rename("src/health_ttrpc.rs", "src/health_ttrpc_async.rs")?;
         fs::rename("src/image_ttrpc.rs", "src/image_ttrpc_async.rs")?;
+        #[cfg(feature = "sealed-secret")]
+        fs::rename(
+            "src/sealed_secret_ttrpc.rs",
+            "src/sealed_secret_ttrpc_async.rs",
+        )?;
     }
 
     codegen(
@@ -219,6 +226,8 @@ fn real_main() -> Result<(), std::io::Error> {
             "protos/agent.proto",
             "protos/health.proto",
             "protos/image.proto",
+            #[cfg(feature = "sealed-secret")]
+            "protos/sealed_secret.proto",
         ],
         false,
     )?;
diff --git a/src/libs/protocols/protos/sealed_secret.proto b/src/libs/protocols/protos/sealed_secret.proto
new file mode 100644
index 0000000000..cba1382873
--- /dev/null
+++ b/src/libs/protocols/protos/sealed_secret.proto
@@ -0,0 +1,27 @@
+syntax = "proto3";
+
+package api;
+
+message UnsealSecretInput {
+    bytes secret = 1;
+}
+
+message UnsealSecretOutput {
+    bytes plaintext = 1;
+}
+
+message GetResourceRequest {
+    string ResourcePath = 1;
+}
+
+message GetResourceResponse {
+    bytes Resource = 1;
+}
+
+service SealedSecretService {
+    rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {};
+}
+
+service GetResourceService {
+    rpc GetResource(GetResourceRequest) returns (GetResourceResponse) {};
+}
diff --git a/src/libs/protocols/src/lib.rs b/src/libs/protocols/src/lib.rs
index 0fe254704e..71f16116b0 100644
--- a/src/libs/protocols/src/lib.rs
+++ b/src/libs/protocols/src/lib.rs
@@ -31,3 +31,10 @@ pub use serde_config::{
     deserialize_enum_or_unknown, deserialize_message_field, serialize_enum_or_unknown,
     serialize_message_field,
 };
+
+#[cfg(feature = "sealed-secret")]
+pub mod sealed_secret;
+#[cfg(feature = "sealed-secret")]
+pub mod sealed_secret_ttrpc;
+#[cfg(all(feature = "sealed-secret", feature = "async"))]
+pub mod sealed_secret_ttrpc_async;