CLI Overview
Install and configure the SikkerKey command-line interface.
The SikkerKey CLI is a single-binary tool for reading, creating, rotating, and exporting secrets from the command line. It authenticates using the same Ed25519 machine identity as the SDKs.
Installation
npm (recommended)
npm install -g sikkerkey
Works on Linux, macOS, and Windows. Downloads the correct prebuilt binary for your platform automatically.
Or run without installing:
npx sikkerkey
Verify
sikkerkey version
Build from source
If you prefer to build from source, the CLI is a Go module with stdlib-only imports:
cd cli
go build -o sikkerkey .
Move the resulting sikkerkey binary onto your PATH (/usr/local/bin on Linux / macOS, or any directory listed in your PATH on Windows).
Prerequisites
The CLI requires a bootstrapped machine identity. Run the bootstrap command from the dashboard (Machines > + Validate) to register your machine and create the identity at ~/.sikkerkey/vaults/{vaultId}/.
First-Time Setup
After bootstrapping, unlock a project to start reading secrets:
sikkerkey unlock proj_xyz789
If this machine is only registered with one vault, the CLI auto-selects it. No connect step is needed.
Only run connect if the machine has been bootstrapped with more than one vault:
# List vaults this machine knows about
sikkerkey connect --list
# Select which one to use
sikkerkey connect vault_abc123
Aliases are optional but handy:
sikkerkey connect vault_abc123 --alias prod
sikkerkey unlock proj_xyz789 --alias production
Once unlocked, read a secret:
sikkerkey get sk_a1b2c3d4e5
Command Categories
| Category | Commands |
|---|---|
| Setup | connect, unlock |
| Config | project, rename, delete |
| Secrets | get |
| Operations | export, run, list |
| Agent | agent start, agent install, agent configure, agent list, agent stop, agent remove, agent test |
| Info | whoami, status, clear, completion, version |
Run sikkerkey <command> --help for details on any command.
Configuration
The CLI stores local configuration at ~/.sikkerkey/vaults/{vaultId}/cli.json. This file tracks:
- Which vault is currently active
- Which projects are unlocked and their aliases
- The default project for the current vault
- Default generation settings (length, charset)
This is local-only. It does not affect the server or other machines.
Shell Completion
# Bash
eval "$(sikkerkey completion bash)"
# Zsh
eval "$(sikkerkey completion zsh)"
# Fish
sikkerkey completion fish > ~/.config/fish/completions/sikkerkey.fish
Global Flags
The --project flag is available on most secret commands. It overrides the default project for that invocation:
sikkerkey get sk_abc123 --project staging
sikkerkey list secrets --project production
sikkerkey export --project production --format json
If no --project is specified, the CLI uses the default project set via sikkerkey project <name>.