.png)
1 month ago
5
Stop copy-pasting secrets.
Turn config sprawl into code you can trust.
OneSeal turns platform outputs into versioned, type-safe SDKs. Eliminate runtime errors and connect services with confidence.
- What OneSeal Delivers — overview of artifacts (secrets, URLs, feature flags, etc.)
- The Problem — common secret/config pain points
- The Solution: Secrets-as-Code — how OneSeal helps
- Before vs After — example workflows and code
- Installation — macOS / Linux / From source
- Quickstart — 30s demo, Terraform example
- Using with Docker — Using with Docker
- How It Works — pipeline & workflow
- Security Architecture — Age keys, encryption model
- Key Features — for DevOps, developers, and teams
- Integrations — current & upcoming sources / SDKs
- Commands — CLI reference (generate, generate-key, ...)
- FAQ — common questions
- Monitoring & Observability — alerts & metrics
- Vote for What Comes Next — SDKs and input sources
- Acknowledgments — third-party credits
- License & Philosophy — MIT + principles
- 🔐 Secrets — Encrypted by default if marked as sensitive (passwords, API tokens, keys)
- 🌐 Service URLs — API endpoints, CDN domains, callback URLs
- 🚀 Feature Flags — Environment-specific configuration values
- 📊 Resource IDs — ARNs, bucket names, queue identifiers
- 🔧 Connection Strings — Databases, caches, brokers
- 📝 Any Platform Output — Developers need to consume safely
Every team knows this pain:
- "What's the S3 bucket name for uploads?" → Check the wiki...
- "What's the database password again?" → Check Slack/Discord/Teams...
- "The API key changed!" → App crashes in production at 3 AM
- "I renamed that secret..." → 5 services break silently
- process.env.DATBASE_URL → Typo goes unnoticed for weeks
- "How do we share this with the new dev?" → Another risky copy-paste
Your secrets are scattered across Vault, AWS Secrets Manager, Terraform outputs, and a dozen other places. Your developers access them through error-prone string lookups. There's no type safety, no version control, and no single source of truth.
OneSeal transforms your platform secrets into typed, versioned, encrypted SDKs that live in your git repository. One command turns chaos into code.
Download the latest binary for your platform from GitHub Releases:
Before using OneSeal, ensure you have the following installed on your host:
- npm For installing deps of the generated SDK package
then depending of your TypeScript/JavaScript project
Requires: "type": "module" in package.json Run:
Requires: "type": "commonjs" (or no "type" field) For TypeScript, also add to your tsconfig.json:
Run:
💡 Tip: Prefer ESM if possible — it’s modern, supports top-level await, and aligns with most SDKs.
This workflow enables a team to securely share secrets, with distinct steps for developers and CI.
Each developer generates their personal key once. OneSeal handles the storage automatically.
Generate a dedicated, non-user key for your automation pipeline. This last will be used to decrypt during runtime all secrets / metadata.
The team lead (or an automated process) collects all public keys and generates the SDK.
💡 Advanced Tip: For streamlined team workflows, store all team public keys in a dedicated Git repository (e.g., company/oneseal-keys). Clone it locally, then point --public-key-path to the directory when generating SDKs. OneSeal will automatically encrypt for all keys found:
This approach eliminates manual key management—add a new team member's .pub file to the repo, and the next SDK generation includes them automatically.
Commit the generated SDK to a private Git repository.
Developers and CI can now install the package. OneSeal automatically finds the correct private key.
ℹ️ Note: You can also push the generated SDK as a tarball to package repositories like npm.js, Verdaccio, or any other compatible registry for easier distribution and version management.
Sometimes you just want to move fast. We get it.
When to go commando:
- 🏠 Local development with dummy data
- 🧪 Testing environments with fake credentials
- 📋 Non-sensitive config (feature flags, URLs, etc.)
- 🏃♂️ Quick prototypes that'll never see prod
When NOT to:
- 🚫 Production secrets (obviously)
- 🚫 Real API keys
- 🚫 Actual passwords
Remember: With great power comes great responsibility. Encrypted by default, plaintext by choice.
OneSeal is available as a Docker image, perfect for CI/CD pipelines or containerized workflows.
What this does:
- Mounts your current directory as /app (where the SDK will be generated)
- Mounts your current directory as /root/.oneseal (where encryption keys are stored)
- Runs generate command in demo mode
Generated files:
After generation, the encryption key is needed to decrypt secrets at runtime:
After generation, the encryption key is needed to decrypt secrets at runtime:
Example GitHub Actions workflow:
| -v $PWD:/app | Output directory for generated SDK | ✅ Always |
| -v $PWD:/root/.oneseal | Encryption keys storage | Only for local dev |
| -v /path/to/state:/state:ro | Input Terraform state (read-only) | ✅ Always |
Deploy apps with OneSeal SDKs using secure Age key management.
File mount (recommended):
- ✅ More secure (file permissions)
- ✅ Easier rotation (update secret, restart pods)
- ✅ Works with multiple apps
Environment variable:
- ✅ Simpler for single-app deployments
- ❌ Exposed in kubectl describe pod
- ❌ Harder to rotate
- ✅ Use readOnly: true + defaultMode: 0400
- ✅ Apply RBAC to limit secret access
- ✅ Rotate keys regularly
- ✅ Use separate keys per environment
⚠️ Important: The age.key file contains your private encryption key. Never commit it to version control!
For production use, store the private key in a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.) and inject it at runtime. One key to rule them all.
OneSeal Workflow:
-
Extract & Encrypt - Platform teams run oneseal generate on Terraform state files using team public keys to create encrypted, type-safe SDKs
-
Version Control - The generated SDK (containing only encrypted data) gets committed to your private repository like any other code artifact
-
Standard Installation - Developers install the SDK through normal package management (npm install, pip install) with no special setup required
-
Runtime Decryption - Applications automatically decrypt secrets in-memory using environment-specific private keys (local development keys or CI environment variables)
-
Type-Safe Consumption - Code gets full TypeScript/Python type safety with zero plaintext credentials anywhere in the codebase or configuration files
The key insight: secrets become versioned, encrypted code artifacts that follow standard software development practices while maintaining security through asymmetric encryption.
- Development: Developers have their Age private key
- CI/CD: Single ONESEAL_AGE_PRIVATE_KEY environment variable
- Production: Same key unlocks ALL your secrets
- Before: 50 secrets = 50 environment variables to manage
- After: 1 private key = access to entire typed secret SDK
- Benefit: Rotate one key instead of updating dozens of secrets
- Enterprise collaboration: Break silos — dev, ops, and security consume the same trusted outputs.
- Cross-team & cross-stack: Securely share secrets and configs across departments, clients, and any tech stack — one source, many consumers.
- Selective Encryption: When using a Terraform state file as a source, OneSeal automatically detects the sensitive = true flag on your outputs. Only these values are encrypted. For other sources, you can specify which values to encrypt.
- Algorithm: Age with X25519 (Curve25519) for key exchange + AES/ChaCha20 for data encryption
- Multi-recipient: Each team member decrypts with their own private key (just share a public key)
- Git-safe: Encrypted files are compact, stable, and diff-friendly in version control
- Ephemeral security: Each secret uses a fresh symmetric key, providing forward secrecy
- Unified secret source: Works with Terraform, Vault, AWS SM (more coming)
- Version control: Track secret schema changes like code changes
- Team management: Add/remove recipients without re-encrypting
- Audit trail: Git history shows who changed what
- Type safety: No more typos or undefined secrets
- IDE support: Full IntelliSense and auto-completion
- Local development: Same SDK works everywhere
- No more copy-paste: Install secrets like any other dependency
- Single source of truth: Git becomes your secret repository
- Idiomatic workflow: Secrets distributed like npm packages
- Safer than Slack: No more credentials in chat history
- Compile-time validation: Catch issues before runtime
| Terraform | ✅ Ready | State file outputs |
| .env | 🚧 Soon | .env files |
| Pulumi | 🚧 Soon | Pulumi state outputs |
| HashiCorp Vault | 🚧 Soon | KV v2 secrets |
| AWS Secrets Manager | 🚧 Soon | Secret values |
| Azure Key Vault | 🚧 Soon | Secret values |
| Google Secret Manager | 🚧 Soon | Secret values |
| Doppler | 📋 Planned | Project configs |
| Infisical | 📋 Planned | Environments |
| 1Password | 📋 Planned | Vaults |
| Custom YAML/JSON | 📋 Planned |
OneSeal complements these tools—they store secrets, we distribute them as code.
| TypeScript | ✅ Ready | npm package |
| Python | 🚧 Soon | pip package |
| Go | 🚧 Soon | go module |
| PHP | 🚧 Soon | PHP package |
| Java | 🚧 Soon | Artifact/Library |
| GitHub Actions | 🚧 Soon | workflow files |
| Azure DevOps | 🚧 Soon | templates files |
| Terraform | 📋 Planned | encrypted modules |
- ❌ No type safety — process.env.DATBASE_URL (typo) fails at runtime, not compile time
- ❌ No version control — Who changed API_KEY last Tuesday? Good luck finding out.
- ❌ Hard to share securely — Slack messages? Email? Sticky notes? All terrible.
- ❌ No structure — Flat namespace of strings. Is it DB_HOST or DATABASE_HOST?
- ❌ No validation — Undefined values discovered in production at 3 AM
- ✅ OneSeal: Typed, versioned, encrypted, structured, validated at build time
- ✅ Great for storage — Keep using them! OneSeal complements them.
- ❌ Complex runtime dependencies — Network calls, authentication, retry logic, failure handling
- ❌ No compile-time checks — Typos like getSecret("databse_url") only fail at runtime
- ❌ String-based access — No IDE autocomplete, no refactoring support
- ❌ Operational overhead — VPN required? Service mesh? Rate limits? Downtime?
- ✅ OneSeal: Fetch secrets once → Generate SDK → Zero runtime network calls → Full type safety
OneSeal + Secret Managers = Best of Both Worlds
- Secret managers store and rotate secrets
- OneSeal distributes them as type-safe, encrypted code
- Update the SDK when secrets change (like updating any dependency)
- ✅ Simple and familiar — Developers know how to use them
- ❌ Plaintext — Can't safely commit to Git (but everyone does anyway 😬)
- ❌ No validation until runtime — Missing variables? Wrong format? Find out in prod!
- ❌ Manual distribution — "Hey can you send me the .env file?" (via Slack, of course)
- ❌ No history — Who changed what? When? Why?
- ❌ Merge conflicts — Different values per environment = Git nightmare
- ✅ OneSeal: Think of it as an encrypted, type-safe, version-controlled .env on steroids
- ❌ Security nightmare — API keys in public repos = instant pwned
- ❌ Rotation hell — Changing a hardcoded secret = code deploy
- ❌ Audit failure — Compliance teams will have questions
- ❌ Git history forever — Even after you delete it, it's still there
- ✅ OneSeal: Encrypted secrets safe to commit, type-safe access, no more hardcoding
- ✅ Great for infrastructure — Keep using them for server config
- ❌ Not developer-friendly — Ops tools, not dev tools
- ❌ No type safety — YAML/JSON strings everywhere
- ❌ Complex workflows — Run playbooks just to get a database password?
- ✅ OneSeal: Developer-first, type-safe, install like any npm package
- ✅ Native to K8s — Good for container environments
- ❌ Base64 encoded — Not encrypted! Just obfuscated.
- ❌ No version control — Changes to secrets are opaque
- ❌ K8s-only — What about local dev? Serverless? Edge functions?
- ❌ Still string-based — No type safety, no IDE support
- ✅ OneSeal: Works everywhere (local, cloud, edge), encrypted, type-safe
- ✅ Great UI and UX — Easy to manage secrets across teams
- ✅ Real-time updates — Change propagation without redeployment
- ❌ No type safety — Still string-based access, no IDE autocomplete
- ❌ Runtime dependency — Network calls required on every app startup
- ❌ SaaS-only — What about air-gapped environments? Offline dev?
- ✅ OneSeal: Type-safe, zero runtime calls, works offline, Git-native
Best together: They store and rotate secrets, OneSeal distributes them as type-safe code.
The OneSeal Philosophy:
We're not trying to replace your secret storage. We're making secret consumption better.
- Storage → Use Vault, AWS, Azure, whatever you trust
- Distribution → Use OneSeal for type-safe, encrypted SDKs
- Consumption → Developers get typed, versioned secrets like any npm package
OneSeal started with TypeScript/JavaScript SDKs, but we’re just getting started. Which SDK language would make your team’s life easier?
OneSeal’s first input source was Terraform state, but we want to support your stack. Which input source should we add next?
👉 Vote for the next input source here
- Audit trail: Complete history of who did what, when
- Access patterns: Detect anomalous secret access
- Compliance reports: Export for SOC2, HIPAA, PCI audits
- Secret lifecycle: Track creation, rotation, deprecation
- Usage analytics: Which secrets are actually used
- Performance metrics: Decryption latency, SDK overhead
- Dependency mapping: Service → Secret relationships
- Health checks: Source integration status
- Failed decryptions: Immediate notification
- Rotation reminders: Enforce rotation policies
- Version drift: Outdated SDKs in production
- Value changes: Unexpected secret modifications
*All features coming soon - we're building based on user feedback.
Transform secrets into SDKs.
Create Age encryption keys.
Q: Is this secure to commit to git?
A: Yes! Sensitive values are encrypted with Age. Only those with private keys can decrypt.
Q: Why are some of my outputs not encrypted?
A: Only outputs or content explicitly marked as sensitive are encrypted. What is considered sensitive depends on the source type.
For example, in Terraform, whether an output is encrypted depends on whether the sensitive flag is set.
Q: What about secret rotation?
A: Change secret → Regenerate SDK → Bump version → Team updates dependency.
Q: Can I use this with my existing secret manager?
A: Yes! OneSeal complements tools like Vault and AWS Secrets Manager. They store, we distribute.
Q: What if a developer leaves?
A: Remove their public key and regenerate. Coming soon: remote secret sources with live private key validation for instant access revocation.
- Age (cryptography) by Filippo Valsorda
The OneSeal CLI is licensed under the AGPLV3 license.
- 🔒 Your secrets stay yours — no secret values, file paths, or repo names ever leave your machine
- 🚫 No hidden telemetry — OneSeal never phones home
- ✅ Git-native, vendor-free — encrypted SDKs are just repos you control
- 🔑 BYOK (Bring Your Own Keys) — you own the encryption, not us
We’re building a sustainable business without betraying developer trust:
- CLI → AGPLV3 license, free & open-source
- Core Runtime → free for most teams, source-available soon
- Cloud Features (optional) → team collaboration, audit logs, compliance tooling, automation
- 📌 No surprises — license changes apply only to new major versions
- 🔓 No lock-in — SDKs remain plain Git repos, usable anywhere
- 🆓 No gatekeeping — core features always include a free tier
- 🤝 Transparency — revenue comes from features, never your data
OneSeal is our answer to developer tools done right: open, secure, and built to last.
![The Perfect Router Does Not Exi [video]](https://www.youtube.com/img/desktop/supported_browsers/firefox.png)
