{"id":36963987,"url":"https://github.com/eznix86/kseal","last_synced_at":"2026-01-13T19:11:56.279Z","repository":{"id":328530198,"uuid":"1115926278","full_name":"eznix86/kseal","owner":"eznix86","description":"CLI tool to view, export, and encrypt Kubernetes Secrets.","archived":false,"fork":false,"pushed_at":"2025-12-14T18:51:28.000Z","size":103,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-15T13:42:00.040Z","etag":null,"topics":["bitnami","kubernetes","kubeseal","python","secrets"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eznix86.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-13T20:48:41.000Z","updated_at":"2025-12-14T22:54:54.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/eznix86/kseal","commit_stats":null,"previous_names":["eznix86/kseal"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/eznix86/kseal","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eznix86%2Fkseal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eznix86%2Fkseal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eznix86%2Fkseal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eznix86%2Fkseal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eznix86","download_url":"https://codeload.github.com/eznix86/kseal/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eznix86%2Fkseal/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28397826,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bitnami","kubernetes","kubeseal","python","secrets"],"created_at":"2026-01-13T19:11:55.804Z","updated_at":"2026-01-13T19:11:56.272Z","avatar_url":"https://github.com/eznix86.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kseal\n\n[![PyPI](https://img.shields.io/pypi/v/kseal)](https://pypi.org/project/kseal/)\n[![Python](https://img.shields.io/pypi/pyversions/kseal)](https://pypi.org/project/kseal/)\n[![License](https://img.shields.io/github/license/eznix86/kseal)](LICENSE)\n[![Tests](https://github.com/eznix86/kseal/actions/workflows/test.yml/badge.svg)](https://github.com/eznix86/kseal/actions/workflows/test.yml)\n\nA kubeseal companion CLI for viewing, exporting, encrypting, and **offline decrypting** Kubernetes Secrets.\n\n## Installation\n\n```bash\npipx install kseal\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eOther installation methods\u003c/summary\u003e\n\nWith [uv](https://github.com/astral-sh/uv):\n\n```bash\nuv tool install kseal\n```\n\nWith pip:\n\n```bash\npip install kseal\n```\n\n\u003c/details\u003e\n\n### Requirements\n\n- Python 3.12+\n- Kubernetes cluster access (not required for offline decryption)\n- Sealed Secrets controller installed in cluster\n\n## Quick Start\n\n```bash\n# View a decrypted secret (requires cluster access)\nkseal cat secrets/app.yaml\n\n# Export all secrets to files\nkseal export --all\n\n# Encrypt a plaintext secret\nkseal encrypt secret.yaml -o sealed.yaml\n\n# Offline decryption (no cluster access needed)\nkseal export-keys                              # Backup keys while you have access\nkseal decrypt sealed.yaml                      # Decrypt using local keys\nkseal decrypt-all --in-place                   # Decrypt all SealedSecrets\n```\n\n## Commands\n\n### `kseal cat`\n\nView decrypted secret contents with syntax highlighting.\n\n```bash\nkseal cat path/to/sealed-secret.yaml\nkseal cat sealed.yaml --no-color\n```\n\n### `kseal export`\n\nExport decrypted secrets to files.\n\n```bash\n# Single file\nkseal export sealed.yaml\nkseal export sealed.yaml -o output.yaml\n\n# All local SealedSecrets\nkseal export --all\n\n# All secrets from cluster\nkseal export --all --from-cluster\n```\n\nDefault output: `.unsealed/\u003coriginal-path\u003e` or `.unsealed/\u003cnamespace\u003e/\u003cname\u003e.yaml`\n\n### `kseal encrypt`\n\nEncrypt plaintext secrets using kubeseal.\n\n```bash\n# To stdout\nkseal encrypt secret.yaml\n\n# To file\nkseal encrypt secret.yaml -o sealed.yaml\n\n# Replace original file\nkseal encrypt secret.yaml --in-place\n```\n\n### `kseal export-keys`\n\nExport sealed-secrets private keys from cluster for offline decryption.\n\n```bash\n# Export to default location\nkseal export-keys                      # → .kseal-keys/\n\n# Custom output directory\nkseal export-keys -o ./backup\n\n# From different namespace\nkseal export-keys -n kube-system\n```\n\n### `kseal decrypt`\n\nDecrypt a SealedSecret using local private keys (no cluster access needed).\n\n```bash\n# Using keys from default location\nkseal decrypt sealed.yaml\n\n# Using specific key file\nkseal decrypt sealed.yaml --private-key ./key.pem\n\n# From stdin\ncat sealed.yaml | kseal decrypt\n\n# Filter keys by pattern\nkseal decrypt sealed.yaml --private-keys-regex \"2025\"\n```\n\n### `kseal decrypt-all`\n\nDecrypt all SealedSecrets in a directory using local private keys.\n\n```bash\n# Search current directory, output to stdout\nkseal decrypt-all\n\n# Search specific directory\nkseal decrypt-all ./manifests\n\n# Replace files in-place\nkseal decrypt-all --in-place\n\n# Custom keys location\nkseal decrypt-all --private-keys-path ./backup\n```\n\n### `kseal init`\n\nCreate a configuration file with the latest kubeseal version pinned.\n\n```bash\nkseal init\nkseal init --force  # Overwrite existing\n```\n\n### `kseal version`\n\nManage kubeseal binary versions.\n\n```bash\n# List downloaded versions\nkseal version list\n\n# Download the latest version\nkseal version update\n\n# Set global default version\nkseal version set 0.27.0\n\n# Clear default (use highest downloaded)\nkseal version set --clear\n```\n\n## Configuration\n\nConfiguration priority: Environment variables \u003e `.kseal-config.yaml` \u003e Global settings\n\n| Option | Environment Variable | Default |\n|--------|---------------------|---------|\n| `version` | `KSEAL_VERSION` | Global default or highest downloaded |\n| `controller_name` | `KSEAL_CONTROLLER_NAME` | `sealed-secrets` |\n| `controller_namespace` | `KSEAL_CONTROLLER_NAMESPACE` | `sealed-secrets` |\n| `unsealed_dir` | `KSEAL_UNSEALED_DIR` | `.unsealed` |\n\n\u003cdetails\u003e\n\u003csummary\u003eExample config file\u003c/summary\u003e\n\n```yaml\n# .kseal-config.yaml\nversion: \"0.27.0\"\ncontroller_name: sealed-secrets\ncontroller_namespace: kube-system\nunsealed_dir: .secrets\n```\n\n\u003c/details\u003e\n\n## Version Management\n\nkseal automatically manages kubeseal binary versions:\n\n- Binaries are stored at `~/.local/share/kseal/kubeseal-\u003cversion\u003e`\n- Each project can pin a specific version in `.kseal-config.yaml`\n- Global settings are stored in `~/.local/share/kseal/settings.yaml`\n\n**Version resolution order:**\n1. Project config version (`.kseal-config.yaml`)\n2. Global default version (`kseal version set`)\n3. Highest downloaded version\n4. Fetch latest from GitHub (first run only)\n\n## Security\n\n- Add `.unsealed/` and `.kseal-keys/` to your `.gitignore`\n- Never commit plaintext secrets or private keys to version control\n- Store exported keys securely (e.g., password manager, encrypted backup)\n- Offline decryption with `kseal decrypt` requires the private keys - keep them safe\n\n## Contributing\n\n```bash\ngit clone https://github.com/eznix86/kseal.git\ncd kseal\nuv sync\n\n# Run tests\nmake test\n\n# Run linter\nmake lint\n```\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feznix86%2Fkseal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feznix86%2Fkseal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feznix86%2Fkseal/lists"}