Show HN: kiln – Git-native, age-encrypted secrets for dev workflows

4•pacmansyyu•6mo ago

Hi HN, I've been building this tool for the past couple of weeks to solve a problem that seems universal across development teams.

Every team handles secrets badly. Secrets and passwords get shared in Slack, `.env` files sit in plaintext, or you depend on external secret management services that can fail during critical deployments, or even depend on other people to deploy things for you!

I believe your environment secrets should neither depend on external services or people, nor be shared in plaintext.

kiln is a command-line tool for managing encrypted environment variables. It lets you encrypt secrets into files that can be safely committed to version control, with role-based access control so team members can only decrypt the environments they're authorized for.

What kiln does:

- Encrypts environment variables using age encryption with SSH and age keys

- Role-based access control - each file can have different access levels

- Commit encrypted files safely to git with clean diffs

- Run applications or render config templates with automatic secret injection

- Works completely offline - no external dependencies

Instead of depending on external services, your secrets travel with your code and work everywhere. You define team access in a config file, encrypt your secrets, and everything just works.

Built as a single Go binary that uses your existing SSH keys or generates new age keys.

Try it out and let me know what breaks or what's missing. I'd love to hear how this fits into your team's workflows and what could make it better.

GitHub: https://github.com/thunderbottom/kiln

Docs: https://kiln.sh

Comments

coding_coffee•6mo ago

This looks amazing. A solid solution to a pain point I've dealt with on multiple teams where secrets management always turns into a mess, especially in distributed setups without universal access to vaults or services. Love the offline-first approach and integration with existing SSH keys. It feels like a natural extension of Git workflows without adding bloat.

Full disclosure: I know the OP personally from some past collaborations, but that doesn't change how genuinely impressed I am with this tool.

mutant•6mo ago

I thought this was solved with SOPS/AGE?

pacmansyyu•6mo ago

Well, technically SOPS/age are both encryption tools first. Both of them are excellent, mind you. But they lack the user experience, specifically SOPS, with handling keys in a multi-user environment, and subsequently with the overall developer workflow. They do offer a lot more than just accessing environment variables securely though, something that kiln is trying to solve.

At first, I did consider using them instead of building my own tool on top of age. But our requirements were far beyond just encrypting and decrypting files in a single environment.

What kiln adds here is the role-based access control, so you can define multiple files, and users/groups who should be able to access them. It also adds to the developer workflow where you can directly run commands through kiln with the variables injected in the command's shell environment. You can also render templates for all the kiln-encrypted files you have access to.

You can say it's a wrapper over age, but adds functionality that allows seamless sharing of developer workflows, and environments, all from a single place. It's git-friendly, and primarily aims for your secrets to travel along with the code so all deployments can be done offline (as an alternative to something like Infiscal, or Vault). I've tried to make it as simple as possible to adopt for anyone in the team.

The only other best way for me to put it is that you should try it out, and I'm sure it'll be helpful in a lot of ways. If you have any more questions, I'm happy to answer them!

Goldman Sachs taps Anthropic's Claude to automate accounting, compliance roles

Ai.com bought by Crypto.com founder for $70M in biggest-ever website name deal

Big Tech's AI Push Is Costing More Than the Moon Landing

The AI boom is causing shortages everywhere else

Suno, AI Music, and the Bad Future [video]

Ask HN: How are researchers using AlphaFold in 2026?

Running the "Reflections on Trusting Trust" Compiler

Watermark API – $0.01/image, 10x cheaper than Cloudinary

Now send your marketing campaigns directly from ChatGPT

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

Show HN: MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

AI Agent Automates Google Stock Analysis from Financial Reports

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)