🔐 keyden

Documentation

CLI Reference

All keyden commands. Run keyden help <command> for flag details.

Environment variables

KEYDEN_PASSWORD

Vault password. Set this to skip interactive prompts in scripts and CI pipelines.

KEYDEN_VAULT_DIR

Override the vault directory (default: ~/.keyden). Useful for isolated test environments.

KEYDEN_SILENT

Set to 1 to suppress advisory warnings (framework detection, stdout export notice).

keyden init

Create a new encrypted vault at ~/.keyden/vault.enc

keyden init
keyden set <name> [value]

Store a secret. Prompts for the value interactively if omitted.

keyden set GEMINI_API_KEY
keyden set DATABASE_URL "postgres://..."
echo $SECRET | keyden set API_KEY --stdin
keyden get <name>

Retrieve a secret from the vault.

keyden get GEMINI_API_KEY
keyden get API_KEY --masked
keyden get API_KEY -q
keyden list

List all secret names stored in the vault.

keyden list
keyden list --json
keyden delete <name>

Remove a secret from the vault.

keyden delete OLD_KEY
keyden delete OLD_KEY --force
keyden run <command...>

Spawn a process with all vault secrets injected as environment variables. No shell built-ins; use bash -c for shell features.

keyden run node server.js
keyden run npm start
keyden run bash -c "echo $SECRET"
keyden rotate

Change the vault master password and re-encrypt all secrets.

keyden rotate
keyden import <file>

Import secrets from a .env file into the vault.

keyden import .env
keyden import .env --delete
keyden import .env --overwrite
keyden export

Export secrets to dotenv, shell, or JSON format.

keyden export
keyden export --format shell
keyden export --format json -o secrets.json
keyden doctor

Diagnose vault setup: checks existence, file permissions (chmod 600), and decryption with KEYDEN_PASSWORD.

keyden doctor
keyden status

Show vault location, file size, and whether a session is active.

keyden status
keyden migrate <source>

Migrate secrets from another keyden vault file into the current vault.

keyden migrate /backup/vault.enc
keyden migrate old-vault.enc --overwrite --delete