CLI reference
Manage secrets from the terminal with the stash CLI
CLI reference
The stash CLI is bundled with @cipherstash/stack and available after install.
It reads credentials from the same CS_* environment variables used by the SDK.
Commands
Set a secret
Encrypt and store a secret:
npx stash secrets set --name DATABASE_URL --value "postgres://..." --environment production
npx stash secrets set -n DATABASE_URL -V "postgres://..." -e productionGet a secret
Retrieve and decrypt a secret:
npx stash secrets get --name DATABASE_URL --environment production
npx stash secrets get -n DATABASE_URL -e productionList secrets
List all secret names in an environment:
npx stash secrets list --environment production
npx stash secrets list -e productionDelete a secret
Delete a secret (prompts for confirmation):
npx stash secrets delete --name DATABASE_URL --environment productionPass --yes to skip the confirmation prompt:
npx stash secrets delete --name DATABASE_URL --environment production --yes
npx stash secrets delete -n DATABASE_URL -e production -yCommand reference
| Command | Flags | Aliases | Description |
|---|---|---|---|
stash secrets set | --name, --value, --environment | -n, -V, -e | Encrypt and store a secret |
stash secrets get | --name, --environment | -n, -e | Retrieve and decrypt a secret |
stash secrets list | --environment | -e | List all secret names in an environment |
stash secrets delete | --name, --environment, --yes | -n, -e, -y | Delete a secret |
Configuration
The CLI reads credentials from environment variables:
| Variable | Description |
|---|---|
CS_WORKSPACE_CRN | The workspace identifier (CRN format) |
CS_CLIENT_ID | The client identifier |
CS_CLIENT_KEY | Client key material used with ZeroKMS |
CS_CLIENT_ACCESS_KEY | API key for authenticating with the CipherStash API |