KubeKanvas Logo
  • Features
  • Pricing
  • Templates
    • How KubeKanvas works
    • Docs
    • Downloads
    • Blog
    • E-Book
    • Tutorials
  • FAQs
  • Contact
  • Features
  • Pricing
  • Templates
    • How KubeKanvas works
    • Docs
    • Downloads
    • Blog
    • E-Book
    • Tutorials
  • FAQs
  • Contact

KubeKanvas Documentation

Your bridge between the KubeKanvas visual Kubernetes IDE and your clusters.

  • Overview

CLI

  • Installation & Upgrade

Secrets

  • Secret Encryption

Helm

  • Helm Deployment

Secret Encryption

KubeKanvas can encrypts Secret values before they ever leave your browser, so plaintext credentials never touch KubeKanvas servers, your Git history, or your CI/CD logs.

Why Default Secrets Are Risky

  • Accidental Git commits — a base64-encoded value committed to a repository exposes the credential permanently, even after deletion from history.
  • Misconfigured RBAC — any principal with get on the Secret object can read every value.
  • Unencrypted etcd — Kubernetes does not encrypt the etcd datastore by default, so anyone with backend access can read all Secret data directly.

How KubeKanvas Encrypts Secrets

KubeKanvas uses public-private key pair to encrypt your secrets. Each user who has installed and configured the KubeKanvas CLI agent generates their own unique key pair. This design ensures that:

  • The public key is stored in KubeKanvas and used to encrypt values in the browser.
  • The private key lives exclusively on the user's computer and can be used by CLI to decrypt the secrets. KubeKanvas servers never see the private keys.
Zero-trust by design:

Encryption happens locally in your browser using your workspace public key. Even the KubeKanvas AI assistant only ever receives[ENCRYPTED] placeholders and plaintext values are never transmitted to or stored on KubeKanvas servers.

The Encryption Workflow

  1. Open a project in the KubeKanvas visual editor and add a Secret resource by dragging and dropping secret from the left toolbar.
  2. Create a new value e.g. DB_PASSWORD in the secret resource.
  3. Click the Encrypt button next to the value. The browser encrypts it locally using your public key available to the kubekanvas servers.
  4. The encrypted value is stored as AGE-ENC: base64inside the generated Helm chart.
  5. When you deploy, the KubeKanvas CLI or helm-kubekanvas decrypts the value in memory using the private key and applies the plaintext Secret to your cluster.

Encrypted Value Format

Encrypted values use the AGE-ENC: prefix followed by base64-encoded AGE binary ciphertext:

AGE-ENC:<base64-encoded AGE binary ciphertext>

These values are safe to commit to Git. Without the private key they are unreadable.

Context-aware decryption

The CLI understands Kubernetes resource structure and handles output encoding automatically:

ResourceFieldOutput after decryption
kind: Secret.data.*Plaintext → base64-encoded (Kubernetes requires it)
kind: Secret.stringData.*Plaintext
Any other kindany fieldPlaintext

Managing Encryption Keys

Your AGE key pair is created when you first configure a cluster. You can manage it with the keys command:

# View your current public key kubekanvas keys show # Rotate your key pair kubekanvas keys rotate

Multi-Recipient Support

Team members can be added as AGE recipients, allowing them to deploy workloads that contain encrypted Secrets without sharing a single private key. Each recipient encrypts to their own key pair, eliminating single points of failure.

Lost keys cannot be recovered.

KubeKanvas enforces a strict non-recovery policy — the private key is never uploaded to KubeKanvas servers, so it cannot be retrieved if lost. Store your private key securely and back it up before rotating.

Comparison with Other Approaches

ApproachOperational overheadVendor lock-inGit-safe
HashiCorp VaultHigh (unsealing, policies, sidecar injectors)LowYes
AWS / GCP / Azure Secret ManagerLowHigh (per-secret billing, cloud-specific APIs)Yes
Sealed Secrets / SOPSMediumLowYes
KubeKanvasLowLow (standard YAML output)Yes

KubeKanvas generates standard Kubernetes YAML — no proprietary CRDs or custom annotations. Migrating away only requires replacing AGE-ENC: values with their base64-encoded plaintext equivalents.

Next step:

To decrypt secrets automatically in CI/CD pipelines, see Helm Deployment Automation.

KubeKanvas Logo
Visual Kubernetes cluster design tool that helps you create, manage, and deploy your applications with ease.
Product
  • Features
  • Pricing
  • Templates
Resources
  • Blog
  • Tutorials
Company
  • About Us
  • Contact
  • Terms of Service
  • Privacy Policy
  • Responsible AI Policy
  • Impressum
XGitHubLinkedIn
© 2026 KubeKanvas. All rights reserved.