Skip to main content
The Enkryptify CLI (ek) provides commands to authenticate, configure and run your applications with secrets injected as environment variables.

Usage

ek [command]

Global Flags

  • -h, --help: help for ek
  • -v, --version: get the current version of the CLI

Commands

Authenticate with Enkryptify to access your secrets.This opens a web browser to complete the OAuth flow. After successful authentication, credentials are stored securely in your system keyring.
ek login
Options:
  • -f, --force: force re-authentication even if already logged in
ek login --force
Log out of Enkryptify and revoke your CLI token.This revokes the active CLI token on the server and clears local credentials from the system keyring. If the server is unreachable, local credentials are still cleared.
ek logout
Show the currently authenticated user.Displays the name and email of the user associated with the current session. If not logged in or the session has expired, you will be prompted to run ek login.
ek whoami
Link the current git repository to an Enkryptify workspace, project and environment.The configuration is saved to ~/.enkryptify/config.json and associated with the current directory path.
ek configure
# OR
ek setup
Run a command with secrets from Enkryptify injected as environment variables.This fetches secrets for your configured workspace, project and environment, then executes the provided command with those secrets available as env vars.Arguments:
  • cmd: command and arguments to run
Options:
  • -e, --env <environmentName>: environment name to use (overrides default from config)
  • -p, --project <projectName>: project name to use (overrides default from config; requires --env)
  • --skip-cache: skip local cache and always fetch fresh secrets from the API
  • --offline: use cached secrets without making an API call
--skip-cache and --offline are mutually exclusive.
Note: Use -- to separate ek run from the command you want to execute.
ek run -- <command>
Examples:
ek run -- npm start                            # Run npm start with secrets
ek run -- pnpm run dev                         # Run pnpm dev with secrets
ek run -- python app.py                        # Run Python app with secrets
ek run -- docker-compose up                    # Run docker-compose with secrets
ek run -e staging -- npm start                 # Override environment
ek run -p backend -e production -- npm start   # Override project and environment
ek run --skip-cache -- npm start               # Force fresh secrets
ek run --offline -- npm start                  # Use cached secrets only
Replace all ${VARIABLES} in a file with the corresponding secrets from Enkryptify.
ek run-file --file <file>
Options:
  • -f, --file <path>: path to the file to process (required)
  • -e, --env <environmentName>: environment name to use (overrides default from config)
  • --skip-cache: skip local cache and always fetch fresh secrets from the API
  • --offline: use cached secrets without making an API call
--skip-cache and --offline are mutually exclusive.
Usage:
sam deploy --config-file <(ek run-file --file samconfig.toml)
node index.js --file <(ek run-file --file data.json)
Examples of files to replace variables in:
[default]
region = "${AWS_REGION}"
stack_name = "${STACK_NAME}"
s3_bucket = "${AWS_S3_BUCKET}"
s3_prefix = "${AWS_S3_PREFIX}"
s3_key = "${AWS_ACCESS_KEY_ID}"
s3_secret = "${AWS_SECRET_ACCESS_KEY}"
s3_session_token = "${AWS_SESSION_TOKEN}"
s3_region = "${AWS_REGION}"

{
  "databaseUrl": "${DATABASE_URL}",
  "sessionToken": "${SESSION_TOKEN}"
}
Run a command with a read-only Enkryptify SDK token injected as the ENKRYPTIFY_TOKEN environment variable.The token is scoped to the configured workspace, project and environment and is valid for 8 hours. This is useful for running applications that use the Enkryptify SDK to fetch secrets at runtime instead of having all secrets injected as environment variables.Note: Use -- to separate ek sdk from the command you want to execute.
ek sdk -- <command>
Examples:
ek sdk -- npm start       # Run npm start with SDK token
ek sdk -- python app.py   # Run Python app with SDK token

Secret Management

All secret operations are subcommands of ek secret. 
ek secret [subcommand]
Create a new secret in the current environment.
ek secret create <name> [value]
Arguments:
  • name: secret key (A-Z, a-z, 0-9, underscore, hyphen)
  • value: secret value (use quotes for spaces or special characters)
ek secret create DATABASE_URL "postgresql://app:app@localhost:5432/enkryptify"
Expected result: the DATABASE_URL secret is created in the current environment.
Update a secret in the current environment.
ek secret update <name>
Arguments:
  • name: secret key to update
Options:
  • --ispersonal: make the secret personal (Enkryptify provider only)
ek secret update DATABASE_URL
Expected result: the DATABASE_URL secret is updated in the current environment.
Delete a secret from the current environment.
ek secret delete <name>
Arguments:
  • name: secret key to delete
ek secret delete DATABASE_URL
Expected result: the DATABASE_URL secret is removed from the current environment.
List secrets in the current environment.
ek secret list [options]
Options:
  • -s, --show: show secret values (defaults to masked)
ek secret list --show
Expected result: a table of secrets with values visible.
Upgrade the Enkryptify CLI to the latest version. The command auto-detects the original install method (Homebrew, Scoop or binary) and upgrades accordingly.
ek upgrade
Options:
  • -f, --force: force upgrade even if already on the latest version
ek upgrade --force

Secret Caching

Secrets fetched by ek run and ek run-file are cached in the system keyring with a 10-second TTL. This avoids redundant API calls when running commands in quick succession. Three caching modes are available:
  • Normal (default): fetches from cache if valid, otherwise calls the API
  • Skip cache (--skip-cache): always fetches fresh secrets from the API
  • Offline (--offline): uses cached secrets without any API call; fails if no cache exists
If an API call fails in normal mode, the CLI falls back to cached secrets when available.