Skip to content

Installation

Jump to bottom
Jake Paine edited this page Apr 24, 2026 · 5 revisions

Installation

Prerequisites

SOPS must be installed and on your PATH, or configured with sops.binary in keyseal.yaml. Keyseal delegates all encryption and decryption to the SOPS binary - it does not implement cryptography itself. Install SOPS from the official releases or via your package manager.

# verify sops is available
sops --version

age (the key type) is recommended if you are using age-based encryption, which is what Keyseal's default .sops.yaml template assumes. SOPS performs runtime encryption and decryption, but the age CLI is commonly needed to generate and inspect keys. Doctor warns when the configured sops.age_binary is unavailable.

# verify age is available (needed for key generation, not for runtime decrypt if sops handles it)
age --version

Go 1.22 or later is required to build from source.

Release binaries

Pre-built archives for the four supported platforms are attached to each tagged GitHub release:

keyseal_<version>_linux_amd64.tar.gz
keyseal_<version>_linux_arm64.tar.gz
keyseal_<version>_darwin_amd64.tar.gz
keyseal_<version>_darwin_arm64.tar.gz
keyseal_<version>_checksums.txt

Each archive contains the keyseal binary, README.md, and LICENSE.

# example: linux amd64
curl -LO https://github.com/Barkway-app/keyseal/releases/download/v0.1.0/keyseal_v0.1.0_linux_amd64.tar.gz
tar xzf keyseal_v0.1.0_linux_amd64.tar.gz
sudo mv keyseal /usr/local/bin/

# verify checksum before moving the binary
sha256sum -c keyseal_v0.1.0_checksums.txt --ignore-missing

Build from source

git clone https://github.com/Barkway-app/keyseal
cd keyseal
make build

The binary lands at ./bin/keyseal. The build embeds version metadata from Git tags and the current HEAD commit. A clean tag produces a version string like v0.1.0 (abc1234); a build with no tags produces dev (abc1234).

To install it system-wide:

sudo cp ./bin/keyseal /usr/local/bin/

Verification

# check binary is accessible
keyseal --version

# expected output format:
# keyseal v0.1.0 (abc1234)

For a more detailed version output:

keyseal version
# keyseal v0.1.0 (abc1234)
# tag: v0.1.0
# commit: abc1234
# built: 2026-04-19T13:10:00Z

SOPS binary path

By default Keyseal expects sops on your PATH. If SOPS is installed elsewhere, you can override the binary path in keyseal.yaml:

sops:
  binary: /usr/local/bin/sops

See Configuration Reference for details.

If age is installed outside PATH, configure it too:

sops:
  age_binary: /usr/local/bin/age

The age key file

Set sops.age_key_file in keyseal.yaml to the private key path you want Keyseal to use by default. Keyseal passes that path through to SOPS automatically.

If SOPS_AGE_KEY_FILE is already set in the shell, the environment variable wins. That makes it easy to keep a stable local default in config while still overriding it for CI or one-off commands.

Home

Getting Started

Reference

Operations

Development

Clone this wiki locally