Release Notes

Documentation: kiln.sh

Full Changelog: v1.0.2...v1.0.3

Bug Fixes

• deps: update golang.org/x/crypto and golang.org/x/crypto

Release Notes

Documentation: kiln.sh

Full Changelog: v1.0.1...v1.0.2

Bug Fixes

• Fixed an issue where kiln would expect the configuration and the encrypted files to be in the same directory (8df47b8)
• Templates outputs generated using apply now use the parent template file permissions (f4da44a)

Release Notes

Documentation: kiln.sh

Full Changelog: v1.0.0...v1.0.1

New Feature: apply Command

Securely apply encrypted environment variables to template files without exposing secrets.

# Apply variables to any template format
kiln apply -f production nginx.conf.template -o nginx.conf

# Use custom delimiters for different template engines
kiln apply -f staging --left-delimiter "[[" --right-delimiter "]]" k8s.template

# Pipeline integration
kiln apply -f production docker-compose.yml.template | docker-compose -f - up

Key Benefits

• Format-agnostic: Works with any text-based template (Docker, Kubernetes, Nginx, etc.)
• Custom delimiters: Support for [[]], {{}}, or any delimiter pair
• Shell-compatible: Default ${} and $ patterns work like envsubst
• Strict validation: Optional strict mode fails on missing variables

Migration from envsubst

Replace unsafe plaintext workflows:

# Before: secrets exposed in environment
export DATABASE_URL="postgres://..."
envsubst < template.conf > output.conf

# After: secrets stay encrypted
kiln apply -f production template.conf -o output.conf

The apply command maintains kiln's core principles: minimal implementation, secure defaults, and seamless integration with existing DevOps workflows.

Release Notes

Documentation: kiln.sh

Full Changelog: https://github.com/thunderbottom/kiln/commits/v1.0.0

What is Kiln?

Kiln is a command-line tool that encrypts your application secrets (API keys, database passwords, etc.) so teams can safely store them in git repositories and share them securely.

Key Features

• Secure Encryption: Uses modern encryption to protect your secrets
• Team Collaboration: Control who can access which secrets using simple configuration
• No External Dependencies: Works completely offline - no servers or cloud services required
• Git-Friendly: Encrypted files can be safely committed to your repository
• Easy Integration: Run your applications with secrets automatically injected

Main Commands

• kiln set - Store a secret (prompts securely for the value)
• kiln get - Retrieve a secret
• kiln run - Run your application with secrets loaded
• kiln edit - Edit multiple secrets at once
• kiln init - Set up kiln for your project or team

Why Use Kiln?

Before: Secrets shared in chat, stored in plain text, or locked behind external services that can fail during deployments.

After: Secrets are encrypted, travel with your code, and only authorized team members can decrypt them.

Getting Started

1. Install

Download from releases or install with Go:

go install github.com/thunderbottom/kiln@latest

2. Set up your project

# Generate your encryption key
kiln init key

# Create project configuration
kiln init config --recipients "yourname=$(cat ~/.kiln/kiln.key.pub)"

3. Add secrets

# Add secrets (will prompt securely)
kiln set DATABASE_URL
kiln set API_KEY

4. Use in your application

# Run with secrets automatically loaded
kiln run -- npm start
kiln run -- python app.py

Team Setup

Add team members by sharing their public keys:

kiln rekey --file production --add-recipient "teammate=their-public-key"

What's Included

• Strong encryption with automatic key management
• Support for multiple environments (dev, staging, production)
• Role-based access control for team collaboration
• Cross-platform support (Linux, macOS, Windows)
• Integration with existing SSH keys
• Local first, so the secrets never leave your system.