Secret Encryption
KubeKanvas can encrypts Secret values before they ever leave your browser, so plaintext credentials never touch KubeKanvas servers, your Git history, or your CI/CD logs.
Why Default Secrets Are Risky
- Accidental Git commits — a base64-encoded value committed to a repository exposes the credential permanently, even after deletion from history.
- Misconfigured RBAC — any principal with
geton the Secret object can read every value. - Unencrypted etcd — Kubernetes does not encrypt the etcd datastore by default, so anyone with backend access can read all Secret data directly.
How KubeKanvas Encrypts Secrets
KubeKanvas uses public-private key pair to encrypt your secrets. Each user who has installed and configured the KubeKanvas CLI agent generates their own unique key pair. This design ensures that:
- The public key is stored in KubeKanvas and used to encrypt values in the browser.
- The private key lives exclusively on the user's computer and can be used by CLI to decrypt the secrets. KubeKanvas servers never see the private keys.
Encryption happens locally in your browser using your workspace public key. Even the KubeKanvas AI assistant only ever receives[ENCRYPTED] placeholders and plaintext values are never transmitted to or stored on KubeKanvas servers.
The Encryption Workflow
- Open a project in the KubeKanvas visual editor and add a Secret resource by dragging and dropping secret from the left toolbar.
- Create a new value e.g. DB_PASSWORD in the secret resource.
- Click the Encrypt button next to the value. The browser encrypts it locally using your public key available to the kubekanvas servers.
- The encrypted value is stored as
AGE-ENC: base64inside the generated Helm chart. - When you deploy, the KubeKanvas CLI or helm-kubekanvas decrypts the value in memory using the private key and applies the plaintext Secret to your cluster.
Encrypted Value Format
Encrypted values use the AGE-ENC: prefix followed by base64-encoded AGE binary ciphertext:
AGE-ENC:<base64-encoded AGE binary ciphertext>These values are safe to commit to Git. Without the private key they are unreadable.
Context-aware decryption
The CLI understands Kubernetes resource structure and handles output encoding automatically:
| Resource | Field | Output after decryption |
|---|---|---|
kind: Secret | .data.* | Plaintext → base64-encoded (Kubernetes requires it) |
kind: Secret | .stringData.* | Plaintext |
| Any other kind | any field | Plaintext |
Managing Encryption Keys
Your AGE key pair is created when you first configure a cluster. You can manage it with the keys command:
# View your current public key
kubekanvas keys show
# Rotate your key pair
kubekanvas keys rotateMulti-Recipient Support
Team members can be added as AGE recipients, allowing them to deploy workloads that contain encrypted Secrets without sharing a single private key. Each recipient encrypts to their own key pair, eliminating single points of failure.
KubeKanvas enforces a strict non-recovery policy — the private key is never uploaded to KubeKanvas servers, so it cannot be retrieved if lost. Store your private key securely and back it up before rotating.
Comparison with Other Approaches
| Approach | Operational overhead | Vendor lock-in | Git-safe |
|---|---|---|---|
| HashiCorp Vault | High (unsealing, policies, sidecar injectors) | Low | Yes |
| AWS / GCP / Azure Secret Manager | Low | High (per-secret billing, cloud-specific APIs) | Yes |
| Sealed Secrets / SOPS | Medium | Low | Yes |
| KubeKanvas | Low | Low (standard YAML output) | Yes |
KubeKanvas generates standard Kubernetes YAML — no proprietary CRDs or custom annotations. Migrating away only requires replacing AGE-ENC: values with their base64-encoded plaintext equivalents.
To decrypt secrets automatically in CI/CD pipelines, see Helm Deployment Automation.