CipherStash Documentation

Access Keys

In order for your client to interact with CipherStash QX without the need for a user to authenticate, you will need a CipherStash QX access key.

A client in this context is another machine, application or process.

CipherStash QX access keys enable your client to programmatically access CipherStash QX.

This means that any client that has access to this key is authorised to access your data in CipherStash QX.

The information below will guide you through how to create, list and revoke keys.

Create an access key

Access keys are created via the Stash CLI. See here on how to install.

To create a key, run the command stash create-key.

This is followed by what you want to name the access key --name MyAccessKey.

Then specify which profile you want the access key created for --profile ProfileName.

Your CipherStash QX profiles are located in the folder ~/.cipherstash.

The access key will be created for the workspace specified in that profile at ~/.cipherstash/<profile>/profile-config.json, service.workspace

You need have access to the workspace before you can create an access key for it.

Below is an example of the command using the name MyAccessKey for profile ABC1234

stash create-key --name MyAccessKey --profile ABC1234

You will receive a prompt indicating that the access key is being generated, then you should see output similar to the below.

➜  ~ stash create-key --name MyAccessKey --profile ABC1234
Generating access key MyAccessKey.........

Access Key created!

The key MyAccessKey for workspace ABC1234 is:


The output displays the environment variable name that you will need to use in your config CS_IDP_CLIENT_SECRET, followed by the CipherStash QX access key CSAKaccessKeyId.accessKeySecret.

The access key is made up of a key id and a secret.

This is the only time the entire key, including the secret, will be displayed, so make sure to copy the key.

If you do happen to forget to copy the key over, you can always generate a new key and revoke the previously generated key via the key name.

It is recommended to rotate your access keys regularly. You can do this by generating a new access key, updating your configuration with the new access key and revoking the old one.

See below on how to list and revoke keys.

List Access keys

To list the access keys for a workspace run the below

stash list-keys --profile ProfileName

This command will list the keys for the workspace specified in the profile you provide after --profile.

The workspace id for the profile is located here ~/.cipherstash/<profile>/profile-config.json, service.workspace.

│ Name                │ Key ID           │ Workspace       │ Created At               │ Last Used At             │
│ AccessKeyOne        │ YTREWQ123456     │ ABC1234567890   │ 2022-05-09T04:37:56.723Z │                          │
│ AccessKeyTwo        │ ASDFGHJK1234     │ ABC1234567890   │ 2022-05-13T06:15:42.853Z │ 2022-05-13T09:15:42.853Z │

The timestamps are in UTC time.

Revoke Access key

To revoke an access key use the below command using the key name you specified for the key.

stash revoke-key --name AccessKeyOne

You will receive the below confirmation that the key has been revoked.

Access Key AccessKeyOne for workspace YTREWQ123456 revoked.