A kubeseal companion CLI - decrypt, export, and encrypt Kubernetes Secrets with automatic binary management

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for eznix86 from gravatar.com eznix86

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Bruno Bernard
  • Tags cli , kubernetes , kubeseal , sealed-secrets , secrets
  • Requires: Python >=3.12
Classifiers
Report project as malware

Project description

kseal

PyPI Python License Tests

A kubeseal companion CLI for viewing, exporting, encrypting, and offline decrypting Kubernetes Secrets.

Installation

pipx install kseal
Other installation methods

With uv:

uv tool install kseal

With pip:

pip install kseal

Requirements

  • Python 3.12+
  • Kubernetes cluster access (not required for offline decryption)
  • Sealed Secrets controller installed in cluster

Quick Start

# View a decrypted secret (requires cluster access)
kseal cat secrets/app.yaml

# Export all secrets to files
kseal export --all

# Encrypt a plaintext secret
kseal encrypt secret.yaml -o sealed.yaml

# Offline decryption (no cluster access needed)
kseal export-keys                              # Backup keys while you have access
kseal decrypt sealed.yaml                      # Decrypt using local keys
kseal decrypt-all --in-place                   # Decrypt all SealedSecrets

Commands

kseal cat

View decrypted secret contents with syntax highlighting.

kseal cat path/to/sealed-secret.yaml
kseal cat sealed.yaml --no-color

kseal export

Export decrypted secrets to files.

# Single file
kseal export sealed.yaml
kseal export sealed.yaml -o output.yaml

# All local SealedSecrets
kseal export --all

# All secrets from cluster
kseal export --all --from-cluster

Default output: .unsealed/<original-path> or .unsealed/<namespace>/<name>.yaml

kseal encrypt

Encrypt plaintext secrets using kubeseal.

# To stdout
kseal encrypt secret.yaml

# To file
kseal encrypt secret.yaml -o sealed.yaml

# Replace original file
kseal encrypt secret.yaml --in-place

kseal export-keys

Export sealed-secrets private keys from cluster for offline decryption.

# Export to default location
kseal export-keys                      # → .kseal-keys/

# Custom output directory
kseal export-keys -o ./backup

# From different namespace
kseal export-keys -n kube-system

kseal decrypt

Decrypt a SealedSecret using local private keys (no cluster access needed).

# Using keys from default location
kseal decrypt sealed.yaml

# Using specific key file
kseal decrypt sealed.yaml --private-key ./key.pem

# From stdin
cat sealed.yaml | kseal decrypt

# Filter keys by pattern
kseal decrypt sealed.yaml --private-keys-regex "2025"

kseal decrypt-all

Decrypt all SealedSecrets in a directory using local private keys.

# Search current directory, output to stdout
kseal decrypt-all

# Search specific directory
kseal decrypt-all ./manifests

# Replace files in-place
kseal decrypt-all --in-place

# Custom keys location
kseal decrypt-all --private-keys-path ./backup

kseal init

Create a configuration file with the latest kubeseal version pinned.

kseal init
kseal init --force  # Overwrite existing

kseal version

Manage kubeseal binary versions.

# List downloaded versions
kseal version list

# Download the latest version
kseal version update

# Set global default version
kseal version set 0.27.0

# Clear default (use highest downloaded)
kseal version set --clear

Configuration

Configuration priority: Environment variables > .kseal-config.yaml > Global settings

Option Environment Variable Default
version KSEAL_VERSION Global default or highest downloaded
controller_name KSEAL_CONTROLLER_NAME sealed-secrets
controller_namespace KSEAL_CONTROLLER_NAMESPACE sealed-secrets
unsealed_dir KSEAL_UNSEALED_DIR .unsealed
Example config file 
# .kseal-config.yaml
version: "0.27.0"
controller_name: sealed-secrets
controller_namespace: kube-system
unsealed_dir: .secrets

Version Management

kseal automatically manages kubeseal binary versions:

  • Binaries are stored at ~/.local/share/kseal/kubeseal-<version>
  • Each project can pin a specific version in .kseal-config.yaml
  • Global settings are stored in ~/.local/share/kseal/settings.yaml

Version resolution order:

  1. Project config version (.kseal-config.yaml)
  2. Global default version (kseal version set)
  3. Highest downloaded version
  4. Fetch latest from GitHub (first run only)

Security

  • Add .unsealed/ and .kseal-keys/ to your .gitignore
  • Never commit plaintext secrets or private keys to version control
  • Store exported keys securely (e.g., password manager, encrypted backup)
  • Offline decryption with kseal decrypt requires the private keys - keep them safe

Contributing

git clone https://github.com/eznix86/kseal.git
cd kseal
uv sync

# Run tests
make test

# Run linter
make lint

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for eznix86 from gravatar.com eznix86

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Bruno Bernard
  • Tags cli , kubernetes , kubeseal , sealed-secrets , secrets
  • Requires: Python >=3.12
Classifiers

Release history Release notifications | RSS feed

2.1.1

2.1.0

This version

2.0.2

2.0.1

2.0.0

1.0.1

1.0.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kseal-2.0.2.tar.gz (69.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

kseal-2.0.2-py3-none-any.whl (22.8 kB view details)

Uploaded Python 3

File details

Details for the file kseal-2.0.2.tar.gz.

File metadata

  • Download URL: kseal-2.0.2.tar.gz
  • Upload date:
  • Size: 69.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.9.17 {"installer":{"name":"uv","version":"0.9.17","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for kseal-2.0.2.tar.gz
Algorithm Hash digest
SHA256 66084216b065ff01d87291abe608fe23576bf2db7f01eaf93296417f996143ba
MD5 f1975ad65d10b266783cd4db740ed5ed
BLAKE2b-256 325e9f12a68bc926d36e3ef31d25106b62f7a238ca74ae8672211e6ecf42f3b0

See more details on using hashes here.

File details

Details for the file kseal-2.0.2-py3-none-any.whl.

File metadata

  • Download URL: kseal-2.0.2-py3-none-any.whl
  • Upload date:
  • Size: 22.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.9.17 {"installer":{"name":"uv","version":"0.9.17","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for kseal-2.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 16e1586f4f703e5b17fcef68432db56cbab48bf87d8a8f7ad7947788123b557b
MD5 addd2d79ae9f8bf5617212b72b0fdbee
BLAKE2b-256 07efcca671512967cd7154b59910104cc065ad241819aa4f8d03bed89160c2eb

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page