CLI reference
Manage secrets from the terminal with the stash CLI
CLI reference
The stash CLI is provided by @cipherstash/cli and available after install.
It reads credentials from the same CS_* environment variables used by the SDK.
Commands
Set a secret
Encrypt and store a secret:
npx @cipherstash/cli secrets set --name DATABASE_URL --value "postgres://..." --environment production
npx @cipherstash/cli secrets set -n DATABASE_URL -V "postgres://..." -e productionGet a secret
Retrieve and decrypt a secret:
npx @cipherstash/cli secrets get --name DATABASE_URL --environment production
npx @cipherstash/cli secrets get -n DATABASE_URL -e productionGet many secrets
Retrieve and decrypt multiple secrets in a single call. Pass a comma-separated list of names:
npx @cipherstash/cli secrets get-many --name DATABASE_URL,API_KEY --environment production
npx @cipherstash/cli secrets get-many -n DATABASE_URL,API_KEY,JWT_SECRET -e productionList secrets
List all secret names in an environment:
npx @cipherstash/cli secrets list --environment production
npx @cipherstash/cli secrets list -e productionDelete a secret
Delete a secret (prompts for confirmation):
npx @cipherstash/cli secrets delete --name DATABASE_URL --environment productionPass --yes to skip the confirmation prompt:
npx @cipherstash/cli secrets delete --name DATABASE_URL --environment production --yes
npx @cipherstash/cli secrets delete -n DATABASE_URL -e production -yCommand reference
| Command | Flags | Aliases | Description |
|---|---|---|---|
npx @cipherstash/cli secrets set | --name, --value, --environment | -n, -V, -e | Encrypt and store a secret |
npx @cipherstash/cli secrets get | --name, --environment | -n, -e | Retrieve and decrypt a secret |
npx @cipherstash/cli secrets get-many | --name, --environment | -n, -e | Retrieve and decrypt multiple secrets (comma-separated names) |
npx @cipherstash/cli secrets list | --environment | -e | List all secret names in an environment |
npx @cipherstash/cli secrets delete | --name, --environment, --yes | -n, -e, -y | Delete a secret |
Configuration
The CLI reads credentials from environment variables:
| Variable | Description |
|---|---|
CS_WORKSPACE_CRN | The workspace identifier (CRN format) |
CS_CLIENT_ID | The client identifier |
CS_CLIENT_KEY | Client key material used with ZeroKMS |
CS_CLIENT_ACCESS_KEY | API key for authenticating with the CipherStash API |