kubekanvas keys

Manage encryption keys for end-to-end encryption of Kubernetes Secrets. Keys ensure that sensitive data in your Kubernetes manifests (passwords, API keys, TLS certificates) are encrypted before leaving your machine and can only be decrypted by authorized CLI instances.

Subcommands

Command	Description
`keys generate`	Generate a new encryption keypair
`keys import <file>`	Import an existing private key from a file
`keys copy`	Copy your private key to the clipboard
`keys delete`	Delete your encryption key locally and from the server

keys generate

Generate a new encryption keypair. The private key is stored securely in your system keychain, and the public key is uploaded to your KubeKanvas organization.

kubekanvas keys generate

If a key already exists on your machine, the command will warn you and exit. Delete the existing key first if you need to regenerate.

What Happens

An encryption keypair is generated
The private key is stored in your operating system keychain
The public key is derived and uploaded to your KubeKanvas organization
A description is attached: “Generated by kubekanvas CLI on [hostname] at [timestamp]”

keys import <file>

Import an existing private key from a file. This is useful when sharing keys between team members or migrating between machines.

kubekanvas keys import /path/to/private-key.txt

The file must contain a line starting with AGE-SECRET-KEY-. The CLI extracts the first valid key, derives the public key, stores both, and uploads the public key to your organization.

keys copy

Copy your private key to the system clipboard for sharing with team members (e.g., for re-encrypting shared Kubernetes Secrets).

kubekanvas keys copy

Platform	Clipboard Tool
macOS	`pbcopy`
Linux	`xclip -selection clipboard`
Windows	`clip`

If the clipboard tool is unavailable, the private key is displayed in the terminal for manual copy.

Security warning: Your private key is sensitive. Only share it with trusted team members who need to decrypt Kubernetes Secrets encrypted with your public key.

keys delete

Delete your encryption key from both your local machine and the KubeKanvas server.

kubekanvas keys delete

Irreversible: Any Kubernetes Secrets encrypted with this key will become permanently undecryptable unless you have a backup of the private key. Re-encrypt secrets with a new key before deleting.

What Happens

The CLI checks if a key exists and displays its public key fingerprint
A confirmation prompt requires you to type yes to proceed
The public key is removed from all organizations on the KubeKanvas server
The private key is deleted from your system keychain

How Encryption Works

KubeKanvas uses end-to-end encryption for Kubernetes Secrets:

When you add a Secret in the KubeKanvas visual editor, its values are encrypted using the public keys of all team members who have uploaded keys
Encrypted secret data is stored on the server — the server never sees the plaintext
When the CLI receives a deployment command, it decrypts the secrets using its local private key before applying them to the cluster

Note: Encryption keys are typically set up automatically during kubekanvas configure. The keys subcommands are for manual key management when needed.