kprun
MIT · Rust · v0.4.1

Your secrets, one process at a time.

kprun keeps API keys and tokens in a KeePass vault and injects them straight into a single child process — never into your shell profile, never shared across sessions, never logged.

Install on Linux / macOS
curl -fsSL https://raw.githubusercontent.com/numikel/kprun/refs/heads/main/scripts/install.sh | sh
kprun — vault and key artwork
~/.kprun locked
01

Why kprun exists

The problem

API keys pile up in .env files, .bashrc, and CI secrets — copied between projects, readable by every process on the machine, and impossible to audit once they're in your shell history.

  • Secrets exported to every child process, forever, for the whole session
  • Plaintext .env files scattered across repos and easy to commit by accident
  • No record of which key was used by which command, or when

The kprun way

One encrypted KeePass vault. Secrets are decrypted only when you run a command, injected only into that command's environment, and gone the moment it exits.

  • A single .kdbx vault — KeePassXC-compatible, unlock via OS keystore or keyfile
  • Per-process injection with kprun run entry -- command, nothing else touched
  • Audit log records entry names and key names — never values
02

See it run

init a vault, store a token, launch an MCP server — three commands, nothing else touched.

~/.kprun
$
03

How it works

Diagram: unlock vault, read entry fields, spawn child process, clean exit
  1. 1

    Unlock the vault

    kprun opens your .kdbx via OS keystore, keyfile, or an interactive prompt — never a plaintext password on disk.

  2. 2

    Read entry fields

    Custom string fields on a KeePass entry become environment variable names and values, exactly as you defined them.

  3. 3

    Spawn a child process

    The requested command runs with those variables injected into its environment only — your shell stays clean.

  4. 4

    Clean exit

    When the child process exits, the injected environment goes with it. Nothing lingers, nothing leaks to sibling processes.

04

Features

MCP-safe by design

Wrap any MCP server's command with kprun run — stdio stays clean, secrets never appear in the server's config file.

Audit log, not a leak log

Every injection is recorded: timestamp, entry, key names, child command. Values never touch the log.

Cross-platform

Linux, macOS, and Windows, on x86_64 and arm64. One binary, no runtime dependencies.

KeePassXC-compatible

Standard .kdbx format — edit your vault in the KeePassXC GUI if you want a visual editor.

Keyfile & CI-ready

Generate a keyfile for non-interactive contexts — cron, Task Scheduler, CI runners — no prompts required.

Full lifecycle CLI

init, set, get, list, export, import, doctor, mcp, deinit — everything scriptable, nothing hidden.

05

Installation

Install script
curl -fsSL https://raw.githubusercontent.com/numikel/kprun/refs/heads/main/scripts/install.sh | sh
Or grab a pre-built binary from GitHub Releases
06

FAQ

A .env file is plaintext on disk, readable by any process with file access, and easy to commit by accident. kprun keeps secrets encrypted in a KeePass vault and injects them only into the single process you launch — nothing is ever written back to disk in plaintext.

No. The audit log records entry titles and injected key names only — never values. The vault path itself is also excluded, identified only by a non-reversible hash.

Yes. kprun uses the standard .kdbx format, so you can open, inspect, and edit the same vault in the KeePassXC desktop app at any time.

A single static binary — Linux, macOS, or Windows, x86_64 or arm64. No runtime dependencies. Building from source requires Rust 1.88.0+.

Generate a keyfile with kprun init --keyfile, then export KPRUN_KEYFILE in the job environment. kprun unlocks non-interactively using the keyfile — no password prompt required.