Kānuka is a powerful command-line tool written in Go for secure secrets management in your projects. It provides a simple yet robust interface for encrypting and decrypting environment files using industry-standard cryptography.
For complete documentation, examples, and guides, visit our official documentation site.
The documentation includes:
- Detailed installation guides
- Step-by-step tutorials
- Configuration examples
- Best practices
- API reference
Kānuka (Kunzea ericoides) is a tree that is endemic to Aotearoa New Zealand. It is a robust species, critical to restoring wildlife destroyed by fire as it quickly propagates and regenerates the land. Its leaves have a characteristically soft touch, and it's one of few plants that can survive the heat of geothermal features.
It is fast, resilient, yet pleasant to touch. This is the vision of Kānuka.
- Secure Secret Management: Store and encrypt environment variables using industry-standard encryption (AES-256 and RSA-2048)
- Team Collaboration: Register and manage team member access to shared secrets
- Key Rotation: Rotate encryption keys with automatic re-encryption of all secrets
- Access Control: View who has access, revoke users securely with full key rotation
- Audit Trail: Track who performed what operations and when with the audit log
- Selective Encryption: Encrypt specific files, directories, or use glob patterns
- Monorepo Support: Flexible workflows for managing secrets in monorepos
- Health Checks: Run diagnostics to detect configuration issues and inconsistent state
- Backup & Recovery: Export and import encrypted secrets for disaster recovery
- User-friendly Interface: Simple commands for managing secrets across your team
- Cross-platform Support: Works on Linux, macOS, and Windows
- Shell Autocompletion: Supports bash, zsh, fish, and PowerShell
- Go 1.21 or later (for building from source)
- Git (for version control)
The recommended way to install Kānuka is using Go:
go install github.com/PolarWolf314/kanuka@latestMake sure your Go binaries directory is in your PATH:
- Linux: Add
export PATH=$HOME/go/bin:$PATHto your~/.bashrc - macOS: Add
export PATH=$HOME/go/bin:$PATHto your~/.zshrc - Windows: Add
%USERPROFILE%\go\binto your user environment variables
You can also download pre-built binaries from the GitHub Releases page.
-
Initialize Secrets Store:
kanuka secrets init
-
Create Your Encryption Keys:
kanuka secrets create
-
Encrypt Your Secrets:
kanuka secrets encrypt
-
Register a Team Member:
kanuka secrets register --user username
kanuka secrets init: Initialize a new secrets storekanuka secrets create: Create new encryption keyskanuka secrets encrypt [files...]: Encrypt .env files (all files if none specified)kanuka secrets decrypt [files...]: Decrypt .kanuka files (all files if none specified)kanuka secrets register --user <email>: Register a new userkanuka secrets revoke --user <email>: Revoke a user's accesskanuka secrets sync: Rotate encryption key and re-encrypt all secretskanuka secrets rotate: Rotate your personal keypairkanuka secrets access: List users with access to secretskanuka secrets status: Show encryption status of secret fileskanuka secrets clean: Remove orphaned keys and inconsistent statekanuka secrets doctor: Run health checks on the projectkanuka secrets log: View audit log of operationskanuka secrets export: Create a backup archive of encrypted secretskanuka secrets import <archive>: Restore secrets from a backup archive
kanuka config list-devices: List all devices in projectkanuka config set-default-device <name>: Set your default device name for new projectskanuka config set-project-device <name>: Set your device name for an existing project
kanuka completion <shell>: Generate autocompletion script for your shellkanuka --help: Show help informationkanuka <command> --help: Show help for a specific command
Kānuka uses a hybrid encryption approach for secure secrets management:
- A symmetric AES-256 key is used to encrypt your project secrets
- Each user's RSA-2048 key pair is used to encrypt/decrypt the symmetric key
- Public keys are stored in the project repository
- Private keys are stored securely on each user's machine
This approach allows team members to securely share the same secrets without exposing sensitive information.
Kānuka stores secrets-related files in a .kanuka folder at the root of your project:
project/
├── .env # Your secrets (should be in .gitignore)
├── .env.kanuka # Your secrets, encrypted by Kānuka
└── .kanuka/
├── public_keys/
│ ├── user_1.pub # Public keys for each user
│ └── user_2.pub
└── secrets/
├── user_1.kanuka # Encrypted symmetric key for each user
└── user_2.kanuka
User-specific private keys are stored in your system's data directory:
- Linux/macOS:
~/.local/share/kanuka/keys/ - Windows:
%APPDATA%\kanuka\keys\
To build Kānuka from source:
# Clone the repository
git clone https://github.com/PolarWolf314/kanuka.git
cd kanuka
# Build the binary
go build -o kanuka
# Run the binary
./kanuka# Run all tests
go test ./test/...
# Run tests with verbose output
go test -v ./test/...
# Run specific command categories
go test ./test/integration/init/...
go test ./test/integration/create/...
go test ./test/integration/register/...
go test ./test/integration/encrypt/...
go test ./test/integration/decrypt/...
go test ./test/integration/revoke/...
go test ./test/integration/sync/...
go test ./test/integration/access/...Kānuka supports shell autocompletion for bash, zsh, fish, and PowerShell. Run kanuka completion [shell] to generate the appropriate completion script.
Contributions are welcome! Feel free to submit issues or pull requests.
This project is licensed under the MIT License - see the LICENSE file for details.
