top | item 44559131

Show HN: kiln – Git-native, age-encrypted secrets for dev workflows

4 points| pacmansyyu | 8 months ago |kiln.sh

Hi HN, I've been building this tool for the past couple of weeks to solve a problem that seems universal across development teams.

Every team handles secrets badly. Secrets and passwords get shared in Slack, `.env` files sit in plaintext, or you depend on external secret management services that can fail during critical deployments, or even depend on other people to deploy things for you!

I believe your environment secrets should neither depend on external services or people, nor be shared in plaintext.

kiln is a command-line tool for managing encrypted environment variables. It lets you encrypt secrets into files that can be safely committed to version control, with role-based access control so team members can only decrypt the environments they're authorized for.

What kiln does:

- Encrypts environment variables using age encryption with SSH and age keys

- Role-based access control - each file can have different access levels

- Commit encrypted files safely to git with clean diffs

- Run applications or render config templates with automatic secret injection

- Works completely offline - no external dependencies

Instead of depending on external services, your secrets travel with your code and work everywhere. You define team access in a config file, encrypt your secrets, and everything just works.

Built as a single Go binary that uses your existing SSH keys or generates new age keys.

Try it out and let me know what breaks or what's missing. I'd love to hear how this fits into your team's workflows and what could make it better.

GitHub: https://github.com/thunderbottom/kiln

Docs: https://kiln.sh

3 comments

[+] coding_coffee|8 months ago|reply

This looks amazing. A solid solution to a pain point I've dealt with on multiple teams where secrets management always turns into a mess, especially in distributed setups without universal access to vaults or services. Love the offline-first approach and integration with existing SSH keys. It feels like a natural extension of Git workflows without adding bloat.

Full disclosure: I know the OP personally from some past collaborations, but that doesn't change how genuinely impressed I am with this tool.

[+] mutant|8 months ago|reply

I thought this was solved with SOPS/AGE?

[+] pacmansyyu|7 months ago|reply

Well, technically SOPS/age are both encryption tools first. Both of them are excellent, mind you. But they lack the user experience, specifically SOPS, with handling keys in a multi-user environment, and subsequently with the overall developer workflow. They do offer a lot more than just accessing environment variables securely though, something that kiln is trying to solve.

At first, I did consider using them instead of building my own tool on top of age. But our requirements were far beyond just encrypting and decrypting files in a single environment.

What kiln adds here is the role-based access control, so you can define multiple files, and users/groups who should be able to access them. It also adds to the developer workflow where you can directly run commands through kiln with the variables injected in the command's shell environment. You can also render templates for all the kiln-encrypted files you have access to.

You can say it's a wrapper over age, but adds functionality that allows seamless sharing of developer workflows, and environments, all from a single place. It's git-friendly, and primarily aims for your secrets to travel along with the code so all deployments can be done offline (as an alternative to something like Infiscal, or Vault). I've tried to make it as simple as possible to adopt for anyone in the team.

The only other best way for me to put it is that you should try it out, and I'm sure it'll be helpful in a lot of ways. If you have any more questions, I'm happy to answer them!