Skip to content

Installation

Jump to bottom
Jake Paine edited this page Apr 20, 2026 · 5 revisions

Installation

Prerequisites

SOPS must be installed and on your PATH. Keyseal delegates all encryption and decryption to the SOPS binary - it does not implement cryptography itself. Install SOPS from the official releases or via your package manager.

# verify sops is available
sops --version

age (the key type) is required if you are using age-based encryption, which is what Keyseal's default .sops.yaml template assumes. Install age from github.com/FiloSottile/age or via your package manager.

# verify age is available (needed for key generation, not for runtime decrypt if sops handles it)
age --version

Go 1.22 or later is required to build from source.

Release binaries

Pre-built archives for the four supported platforms are attached to each tagged GitHub release:

keyseal_<version>_linux_amd64.tar.gz
keyseal_<version>_linux_arm64.tar.gz
keyseal_<version>_darwin_amd64.tar.gz
keyseal_<version>_darwin_arm64.tar.gz
keyseal_<version>_checksums.txt

Each archive contains the keyseal binary, README.md, and LICENSE.

# example: linux amd64
curl -LO https://github.com/Barkway-app/keyseal/releases/download/v0.1.0/keyseal_v0.1.0_linux_amd64.tar.gz
tar xzf keyseal_v0.1.0_linux_amd64.tar.gz
sudo mv keyseal /usr/local/bin/

# verify checksum before moving the binary
sha256sum -c keyseal_v0.1.0_checksums.txt --ignore-missing

Build from source

git clone https://github.com/Barkway-app/keyseal
cd keyseal
make build

The binary lands at ./bin/keyseal. The build embeds version metadata from Git tags and the current HEAD commit. A clean tag produces a version string like v0.1.0 (abc1234); a build with no tags produces dev (abc1234).

To install it system-wide:

sudo cp ./bin/keyseal /usr/local/bin/

Verification

# check binary is accessible
keyseal --version

# expected output format:
# keyseal v0.1.0 (abc1234)

For a more detailed version output:

keyseal version
# keyseal v0.1.0 (abc1234)
# tag: v0.1.0
# commit: abc1234
# built: 2026-04-19T13:10:00Z

SOPS binary path

By default Keyseal expects sops on your PATH. If SOPS is installed elsewhere, you can override the binary path in keyseal.yaml:

sops:
  binary: /usr/local/bin/sops

See Configuration Reference for details.

The age key file

Set sops.age_key_file in keyseal.yaml to the private key path you want Keyseal to use by default. Keyseal passes that path through to SOPS automatically.

If SOPS_AGE_KEY_FILE is already set in the shell, the environment variable wins. That makes it easy to keep a stable local default in config while still overriding it for CI or one-off commands.

Home

Getting Started

Reference

Operations

Development

Clone this wiki locally