An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications
Clone or download
Latest commit 6c790a7 Jan 17, 2019

Helm Package

Kamus logo

An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault and AES).

Getting Started

The simple way to run Kamus is by using the Helm chart:

helm repo add soluto
helm upgrade --install kamus soluto/kamus

Refer to the installation guide for more details. After installing Kamus, you can start using it to encrypt secrets. Kamus encrypt secrets for a specific application, represent by a Kubernetes Service Account. Create a service account for your application, and mount it on the pods running your application. Now, when you know the name of the service account, and the namespace it exists in, install Kamus CLI:

npm install -g @soluto-asurion/kamus-cli

Use Kamus CLI to encrypt the secret:

kamus-cli encrypt --secret super-secret --service-account kamus-example-sa --namespace default --kamus-url <Kamus URL>

If you're running Kamus locally the Kamus URL will be like http://localhost:<port>. So you need to add --allow-insecure-url flag to enable http protocol.

Pass the value returned by the CLI to your pod, and use Kamus Decrypt API to decrypt the value. The simplest way to achieve that is by using the init container. An alternative is to use Kamus decrypt API directly in the application code. To make it clearer, take a look on a working example app. You can deploy this app to any Kubernetes cluster that has Kamus installed, to understand how it works.


Kamus has 3 components:

  • Encrypt API
  • Decrypt API
  • Key Management System (KMS)

The encrypt and decrypt APIs handle encryption and decryption requests. The KMS is a wrapper for various cryptographic solutions. Currently supported:

  • AES - uses one key for all secrets
  • Azure KeyVault - creates one key per service account.
  • Google Cloud KMS - creates one key per service account.

We look forward to add support for other cloud solutions, like AWS KMS. If you're interested in such a feature, please let us know. We would like help with testing it out. Consult the installation guide for more details on how to deploy Kamus using the relevant KMS.


Kamus is shipped with 2 utilities that make it easier to use:

  • Kamus CLI - a small CLI that eases the interaction with the Encrypt API. Refer to the docs for more details.
  • Kamus init container - a init container that interacts with the Decrypt API. Refer to the docs for more details.


We take security seriously at Soluto. To learn more about the security aspects of Kamus refer to the Threat Modeling docs containing all the various threats and mitigations we discussed. Before installing Kamus in production refer the installation guide to learn the best practices of deploying Kamus securely. In case you find a security issue or have something you would like to discuss refer to our policy.


Find a bug? Have a missing feature? Please open an issue and let us know. We would like to help you using Kamus! Please notice: Do not report security issues on GitHub. We will immediately delete such issues.


The logo icon made by Gregor Cresnar from is licensed by CC 3.0 BY.