Your secrets, one process at a time.
kprun keeps API keys and tokens in a KeePass vault and injects them straight into a single child process — never into your shell profile, never shared across sessions, never logged.
curl -fsSL https://raw.githubusercontent.com/numikel/kprun/refs/heads/main/scripts/install.sh | sh
Why kprun exists
The problem
API keys pile up in .env files, .bashrc, and CI secrets — copied between projects, readable by every process on the machine, and impossible to audit once they're in your shell history.
- Secrets exported to every child process, forever, for the whole session
- Plaintext .env files scattered across repos and easy to commit by accident
- No record of which key was used by which command, or when
The kprun way
One encrypted KeePass vault. Secrets are decrypted only when you run a command, injected only into that command's environment, and gone the moment it exits.
- A single .kdbx vault — KeePassXC-compatible, unlock via OS keystore or keyfile
- Per-process injection with kprun run entry -- command, nothing else touched
- Audit log records entry names and key names — never values
See it run
init a vault, store a token, launch an MCP server — three commands, nothing else touched.
How it works

- 1
Unlock the vault
kprun opens your .kdbx via OS keystore, keyfile, or an interactive prompt — never a plaintext password on disk.
- 2
Read entry fields
Custom string fields on a KeePass entry become environment variable names and values, exactly as you defined them.
- 3
Spawn a child process
The requested command runs with those variables injected into its environment only — your shell stays clean.
- 4
Clean exit
When the child process exits, the injected environment goes with it. Nothing lingers, nothing leaks to sibling processes.
Features
MCP-safe by design
Wrap any MCP server's command with kprun run — stdio stays clean, secrets never appear in the server's config file.
Audit log, not a leak log
Every injection is recorded: timestamp, entry, key names, child command. Values never touch the log.
Cross-platform
Linux, macOS, and Windows, on x86_64 and arm64. One binary, no runtime dependencies.
KeePassXC-compatible
Standard .kdbx format — edit your vault in the KeePassXC GUI if you want a visual editor.
Keyfile & CI-ready
Generate a keyfile for non-interactive contexts — cron, Task Scheduler, CI runners — no prompts required.
Full lifecycle CLI
init, set, get, list, export, import, doctor, mcp, deinit — everything scriptable, nothing hidden.
Installation
curl -fsSL https://raw.githubusercontent.com/numikel/kprun/refs/heads/main/scripts/install.sh | shFAQ
A .env file is plaintext on disk, readable by any process with file access, and easy to commit by accident. kprun keeps secrets encrypted in a KeePass vault and injects them only into the single process you launch — nothing is ever written back to disk in plaintext.
No. The audit log records entry titles and injected key names only — never values. The vault path itself is also excluded, identified only by a non-reversible hash.
Yes. kprun uses the standard .kdbx format, so you can open, inspect, and edit the same vault in the KeePassXC desktop app at any time.
A single static binary — Linux, macOS, or Windows, x86_64 or arm64. No runtime dependencies. Building from source requires Rust 1.88.0+.
Generate a keyfile with kprun init --keyfile, then export KPRUN_KEYFILE in the job environment. kprun unlocks non-interactively using the keyfile — no password prompt required.