A kubeseal companion CLI for viewing, editing, exporting, encrypting, and offline decrypting Kubernetes Secrets.
pipx install ksealkubeseal is excellent at one thing: encrypting secrets so they can be safely committed to Git. But day-to-day cluster work involves more than that. For example; inspecting what's inside a sealed secret, swapping secrets across manifests, or recovering secrets without cluster access.
kseal is a DX layer on top of kubeseal that handles the operational side:
| kubeseal | kseal | |
|---|---|---|
| Encrypt secrets for GitOps | ✅ | ✅ (via kubeseal) |
| View / inspect sealed secrets | ❌ | ✅ kseal cat |
| Edit sealed secrets in-place | ❌ | ✅ kseal edit |
| Offline decryption | ❌ | ✅ kseal decrypt |
| Export secrets to files | ❌ | ✅ kseal export |
| Per-project config (no repeated flags) | ❌ | ✅ .kseal-config.yaml |
| In-place secret swapping in manifests | ❌ | ✅ kseal encrypt --in-place |
If you only ever seal secrets once and push them, kubeseal alone is enough. If you work with sealed secrets daily, kseal saves the repetition.
- Python 3.12+
- Kubernetes cluster access (not required for offline decryption)
- Sealed Secrets controller installed in cluster
# View a decrypted secret (requires cluster access)
kseal cat secrets/app.yaml
# Export all secrets to files
kseal export --all
# Encrypt a plaintext secret
kseal encrypt secret.yaml -o sealed.yaml
# Offline decryption (no cluster access needed)
kseal export-keys # Backup keys while you have access
kseal decrypt sealed.yaml # Decrypt using local keys
kseal edit sealed.yaml # Edit decrypted content, then re-encrypt
kseal decrypt-all --in-place # Decrypt all SealedSecretsView decrypted secret contents with syntax highlighting.
kseal cat path/to/sealed-secret.yaml
kseal cat sealed.yaml --no-colorExport decrypted secrets to files.
# Single file
kseal export sealed.yaml
kseal export sealed.yaml -o output.yaml
# All local SealedSecrets
kseal export --all
# All secrets from cluster
kseal export --all --from-clusterDefault output: .unsealed/<original-path> or .unsealed/<namespace>/<name>.yaml
Encrypt plaintext secrets using kubeseal.
# To stdout
kseal encrypt secret.yaml
# To file
kseal encrypt secret.yaml -o sealed.yaml
# Replace original file
kseal encrypt secret.yaml --in-placeExport sealed-secrets private keys from cluster for offline decryption.
# Export to default location
kseal export-keys # → .kseal-keys/
# Custom output directory
kseal export-keys -o ./backup
# From different namespace
kseal export-keys -n kube-systemDecrypt a SealedSecret using local private keys (no cluster access needed).
# Using keys from default location
kseal decrypt sealed.yaml
# Using specific key file
kseal decrypt sealed.yaml --private-key ./key.pem
# From stdin
cat sealed.yaml | kseal decrypt
# Filter keys by pattern
kseal decrypt sealed.yaml --private-keys-regex "2025"Decrypt all SealedSecrets in a directory using local private keys.
# Search current directory, output to stdout
kseal decrypt-all
# Search specific directory
kseal decrypt-all ./manifests
# Replace files in-place
kseal decrypt-all --in-place
# Custom keys location
kseal decrypt-all --private-keys-path ./backupEdit a SealedSecret safely: decrypt to a temporary editor file, open $VISUAL or $EDITOR, then re-encrypt the original file only if the plaintext was changed.
kseal edit sealed.yaml
kseal edit sealed.yaml --private-key ./key.pem
kseal edit sealed.yaml --private-keys-regex "2025"The temporary plaintext file is created with 0600 permissions and removed after the editor exits.
Create a configuration file with the latest kubeseal version pinned.
kseal init
kseal init --force # Overwrite existingManage kubeseal binary versions.
# List downloaded versions
kseal version list
# Download the latest version
kseal version update
# Set global default version
kseal version set 0.27.0
# Clear default (use highest downloaded)
kseal version set --clearGenerate shell completion scripts.
# Bash
source <(kseal completion bash)
# Zsh
source <(kseal completion zsh)Add the matching source <(...) line to your shell profile to enable completions permanently.
Configuration priority: Environment variables > .kseal-config.yaml > Global settings
| Option | Environment Variable | Default |
|---|---|---|
version |
KSEAL_VERSION |
Global default or highest downloaded |
version: disable |
KSEAL_VERSION_DISABLE=1 |
Use kubeseal from PATH without version checks or downloads |
controller_name |
KSEAL_CONTROLLER_NAME |
sealed-secrets |
controller_namespace |
KSEAL_CONTROLLER_NAMESPACE |
sealed-secrets |
unsealed_dir |
KSEAL_UNSEALED_DIR |
.unsealed |
Example config file
# .kseal-config.yaml
version: "0.27.0"
controller_name: sealed-secrets
controller_namespace: kube-system
unsealed_dir: .secrets
# To disable automatic kubeseal version management and use PATH:
# version: disablekseal automatically manages kubeseal binary versions:
- Binaries are stored at
~/.local/share/kseal/kubeseal-<version> - Each project can pin a specific version in
.kseal-config.yaml - Global settings are stored in
~/.local/share/kseal/settings.yaml - Set
KSEAL_VERSION_DISABLE=1orversion: disableto usekubesealfromPATH
Version resolution order:
- Disabled management (
KSEAL_VERSION_DISABLE=1orversion: disable) useskubesealfromPATH - Project config version (
.kseal-config.yaml) - Global default version (
kseal version set) - Highest downloaded version
- Fetch latest from GitHub (first run only)
- Add
.unsealed/and.kseal-keys/to your.gitignore - Never commit plaintext secrets or private keys to version control
- Store exported keys securely (e.g., password manager, encrypted backup)
- Offline decryption with
kseal decryptrequires the private keys - keep them safe
git clone https://github.com/eznix86/kseal.git
cd kseal
uv sync
# Run tests
make test
# Run linter
make lint