CLI Overview
Install and configure the SikkerKey command-line interface.
The SikkerKey CLI is a single-binary tool for reading, creating, rotating, and exporting secrets from the command line. It authenticates using the same Ed25519 machine identity as the SDKs.
Installation
npm (recommended)
npm install -g @sikkerkey/cli
Works on Linux, macOS, and Windows. Downloads the correct prebuilt binary for your platform automatically.
Verify
sikkerkey version
Build from source
If you prefer to build from source, the CLI is a single Go binary with zero dependencies:
cd cli
go build -o sikkerkey main.go
sudo mv sikkerkey /usr/local/bin/
Prerequisites
The CLI requires a bootstrapped machine identity. Run the bootstrap command from the dashboard (Machines > + Validate) to register your machine and create the identity at ~/.sikkerkey/vaults/{vaultId}/.
First-Time Setup
After bootstrapping, connect to your vault and unlock a project:
# Select the vault identity
sikkerkey connect vault_abc123
# Add a project
sikkerkey unlock proj_xyz789
# Optionally alias them for convenience
sikkerkey connect vault_abc123 --alias prod
sikkerkey unlock proj_xyz789 --alias production
Once connected and unlocked, you can read secrets:
sikkerkey get sk_a1b2c3d4e5
Command Categories
| Category | Commands |
|---|---|
| Setup | connect, unlock |
| Config | project, rename, delete |
| Secrets | get |
| Operations | export, run, list |
| Agent | agent start, agent install, agent configure, agent list, agent stop, agent remove, agent test |
| Info | whoami, status, clear, completion, version |
Run sikkerkey <command> --help for details on any command.
Configuration
The CLI stores local configuration at ~/.sikkerkey/vaults/{vaultId}/cli.json. This file tracks:
- Which vault is currently active
- Which projects are unlocked and their aliases
- The default project for the current vault
- Default generation settings (length, charset)
This is local-only. It does not affect the server or other machines.
Shell Completion
# Bash
eval "$(sikkerkey completion bash)"
# Zsh
eval "$(sikkerkey completion zsh)"
# Fish
sikkerkey completion fish > ~/.config/fish/completions/sikkerkey.fish
Global Flags
The --project flag is available on most secret commands. It overrides the default project for that invocation:
sikkerkey get sk_abc123 --project staging
sikkerkey list secrets --project production
sikkerkey export --project production --format json
If no --project is specified, the CLI uses the default project set via sikkerkey project <name>.