Skip to main content

CLI Commands Reference

Complete reference for all secretctl CLI commands.

Global Options

secretctl [command] --help    # Show help for any command

init

Initialize a new secret vault.

secretctl init

Creates a new encrypted vault at ~/.secretctl/vault.db. You will be prompted to set a master password (minimum 8 characters).

Example:

$ secretctl init
Enter master password: ********
Confirm master password: ********
Vault initialized successfully.

set

Store a secret value from standard input, or create multi-field secrets.

secretctl set [key] [flags]

Flags:

FlagDescription
--field name=valueAdd a field to the secret (repeatable)
--binding ENV=fieldAdd environment binding (repeatable)
--sensitive nameMark a field as sensitive (repeatable)
--notes stringAdd notes to the secret
--tags stringComma-separated tags (e.g., dev,api)
--url stringAdd URL reference to the secret
--expires stringExpiration duration (e.g., 30d, 1y)

Examples:

# Basic usage (single value from stdin)
echo "sk-your-api-key" | secretctl set OPENAI_API_KEY

# Multi-field secret
secretctl set db/prod \
  --field host=db.example.com \
  --field port=5432 \
  --field user=admin \
  --field password=secret123 \
  --sensitive password

# With environment bindings
secretctl set db/prod \
  --field host=db.example.com \
  --field password=secret123 \
  --binding PGHOST=host \
  --binding PGPASSWORD=password \
  --sensitive password

# With metadata
echo "mypassword" | secretctl set DB_PASSWORD \
  --notes="Production database" \
  --tags="prod,db" \
  --url="https://console.example.com"

# With expiration
echo "temp-token" | secretctl set TEMP_TOKEN --expires="30d"

get

Retrieve a secret value or specific fields.

secretctl get [key] [flags]

Flags:

FlagDescription
--field nameGet a specific field value
--fieldsList all field names (no values)
--show-metadataShow metadata with the secret

Examples:

# Get secret value only (legacy single-value)
secretctl get API_KEY

# Get a specific field from multi-field secret
secretctl get db/prod --field host

# List all field names
secretctl get db/prod --fields

# Get secret with metadata
secretctl get API_KEY --show-metadata

delete

Delete a secret from the vault.

secretctl delete [key]

Example:

secretctl delete OLD_API_KEY

list

List all secret keys in the vault.

secretctl list [flags]

Flags:

FlagDescription
--tag stringFilter by tag
--expiring stringShow secrets expiring within duration (e.g., 7d)

Examples:

# List all secrets
secretctl list

# Filter by tag
secretctl list --tag=prod

# Show expiring secrets
secretctl list --expiring=7d

run

Execute a command with secrets injected as environment variables.

secretctl run [flags] -- command [args...]

Flags:

FlagDescription
-k, --key stringArraySecret keys to inject (glob pattern supported)
-t, --timeout durationCommand timeout (default: 5m)
--env stringEnvironment alias (e.g., dev, staging, prod)
--env-prefix stringEnvironment variable name prefix
--no-sanitizeDisable output sanitization
--obfuscate-keysObfuscate secret key names in error messages

Environment Variable Naming:

Secret keys are transformed to environment variable names:

  • / is replaced with _
  • - is replaced with _
  • Names are converted to UPPERCASE
Secret KeyEnvironment Variable
aws/access_keyAWS_ACCESS_KEY
db-passwordDB_PASSWORD
api/prod/keyAPI_PROD_KEY

Examples:

# Single secret
secretctl run -k API_KEY -- curl -H "Authorization: Bearer $API_KEY" https://api.example.com

# Multiple secrets
secretctl run -k DB_HOST -k DB_USER -k DB_PASS -- psql

# Wildcard pattern (matches single level)
secretctl run -k "aws/*" -- aws s3 ls

# With timeout
secretctl run -k API_KEY --timeout=30s -- ./long-script.sh

# With environment alias
secretctl run --env=prod -k "db/*" -- ./deploy.sh

# With prefix
secretctl run -k API_KEY --env-prefix=APP_ -- ./app

Output Sanitization:

By default, command output is scanned for secret values. Any matches are replaced with [REDACTED:key].

# If DB_PASSWORD contains "secret123"
$ secretctl run -k DB_PASSWORD -- echo "Password is $DB_PASSWORD"
Password is [REDACTED:DB_PASSWORD]

export

Export secrets to .env or JSON format.

secretctl export [flags]

Flags:

FlagDescription
-k, --key stringsKeys to export (glob pattern supported)
-f, --format stringOutput format: env, json (default: env)
-o, --output stringOutput file path (default: stdout)
--with-metadataInclude metadata in JSON output
--forceOverwrite existing file without confirmation

Examples:

# Export all secrets to stdout
secretctl export

# Export to .env file
secretctl export -o .env

# Export specific keys as JSON
secretctl export -k "aws/*" -f json -o config.json

# Export with metadata
secretctl export -f json --with-metadata -o secrets.json

# Pipe to another command
secretctl export -f json | jq '.DB_HOST'

import

Import secrets from .env or JSON files.

secretctl import [file] [flags]

Flags:

FlagDescription
--on-conflict stringHow to handle existing keys: skip, overwrite, error (default: error)
--dry-runPreview what would be imported without making changes

Examples:

# Import from .env file
secretctl import .env

# Import from JSON file
secretctl import config.json

# Preview changes without importing
secretctl import .env --dry-run

# Skip existing keys
secretctl import .env --on-conflict=skip

# Overwrite existing keys
secretctl import .env --on-conflict=overwrite

Supported Formats:

  • .env files: Standard KEY=VALUE format
  • JSON files: Object with key-value pairs {"KEY": "value"}

generate

Generate cryptographically secure random passwords.

secretctl generate [flags]

Flags:

FlagDescription
-l, --length intPassword length (8-256, default: 24)
-n, --count intNumber of passwords to generate (1-100, default: 1)
-c, --copyCopy first password to clipboard
--exclude stringCharacters to exclude
--no-uppercaseExclude uppercase letters
--no-lowercaseExclude lowercase letters
--no-numbersExclude numbers
--no-symbolsExclude symbols

Examples:

# Generate default password (24 chars)
secretctl generate

# Generate 32-char password without symbols
secretctl generate -l 32 --no-symbols

# Generate 5 passwords
secretctl generate -n 5

# Generate and copy to clipboard
secretctl generate -c

# Exclude ambiguous characters
secretctl generate --exclude "0O1lI"

audit

Manage audit logs.

audit list

List audit log entries.

secretctl audit list [flags]

Flags:

FlagDescription
--limit intMaximum number of events to show (default: 100)
--since stringShow events since duration (e.g., 24h)

Example:

secretctl audit list --limit=50 --since=24h

audit verify

Verify audit log HMAC chain integrity.

secretctl audit verify

Example:

$ secretctl audit verify
Audit log integrity verified. 1234 events checked.

audit export

Export audit logs to JSON or CSV format.

secretctl audit export [flags]

Flags:

FlagDescription
--format stringOutput format: json, csv (default: json)
-o, --output stringOutput file path (default: stdout)
--since stringExport events since duration (e.g., 30d)
--until stringExport events until date (RFC 3339)

Example:

secretctl audit export --format=csv -o audit.csv --since=30d

audit prune

Delete old audit log entries.

secretctl audit prune [flags]

Flags:

FlagDescription
--older-than stringDelete logs older than duration (e.g., 12m for 12 months)
--dry-runShow what would be deleted without deleting
-f, --forceSkip confirmation prompt

Example:

# Preview deletions
secretctl audit prune --older-than=12m --dry-run

# Delete with confirmation
secretctl audit prune --older-than=12m

# Delete without confirmation
secretctl audit prune --older-than=12m --force

backup

Create an encrypted backup of the vault.

secretctl backup [flags]

Flags:

FlagDescription
-o, --output stringOutput file path (required unless using --stdout)
--stdoutOutput to stdout (for piping)
--with-auditInclude audit logs in backup
--backup-passwordUse a separate backup password (prompted)
--key-file stringEncryption key file (32 bytes)
-f, --forceOverwrite existing file without confirmation

Examples:

# Basic backup
secretctl backup -o vault-backup.enc

# Backup with audit logs
secretctl backup -o full-backup.enc --with-audit

# Backup to stdout (for piping to gpg, etc.)
secretctl backup --stdout | gpg --encrypt > backup.gpg

# Use separate backup password
secretctl backup -o backup.enc --backup-password

# Use key file for automation
secretctl backup -o backup.enc --key-file=backup.key

# Overwrite existing backup
secretctl backup -o backup.enc --force

restore

Restore the vault from an encrypted backup.

secretctl restore <backup-file> [flags]

Flags:

FlagDescription
--dry-runPreview what would be restored without making changes
--verify-onlyOnly verify backup integrity (no restore)
--on-conflict stringHow to handle existing keys: skip, overwrite, error (default: error)
--key-file stringDecryption key file
--with-auditRestore audit logs (overwrites existing)
-f, --forceSkip confirmation prompt

Examples:

# Verify backup integrity
secretctl restore backup.enc --verify-only

# Preview restore without changes
secretctl restore backup.enc --dry-run

# Restore, skip existing keys
secretctl restore backup.enc --on-conflict=skip

# Restore, overwrite existing keys
secretctl restore backup.enc --on-conflict=overwrite

# Restore with audit logs
secretctl restore backup.enc --with-audit

# Use key file for decryption
secretctl restore backup.enc --key-file=backup.key

mcp-server

Start the MCP server for AI coding assistant integration.

secretctl mcp-server

Authentication:

Set SECRETCTL_PASSWORD environment variable before starting:

SECRETCTL_PASSWORD=your-password secretctl mcp-server

Available MCP Tools:

ToolDescription
secret_listList secret keys with metadata (no values)
secret_existsCheck if a secret exists with metadata
secret_get_maskedGet masked secret value (e.g., ****WXYZ)
secret_runExecute command with secrets as environment variables

Policy Configuration:

Create ~/.secretctl/mcp-policy.yaml to configure allowed commands:

version: 1
default_action: deny
allowed_commands:
  - aws
  - gcloud
  - kubectl

See MCP Integration Guide for detailed configuration.