Skip to main content
The Enkryptify CLI (ek) provides commands to authenticate, configure and run your applications with secrets injected as environment variables.

Usage

ek [command]

Global Flags

  • -h, --help: help for ek
  • -v, --version: get the current version of the CLI

Commands

Authenticate with Enkryptify to access your secrets.This opens a web browser to complete the OAuth flow. After successful authentication, credentials are stored securely in your system keyring.
ek login
Options:
  • -f, --force: force re-authentication even if already logged in
ek login --force
Log out of Enkryptify and revoke your CLI token.This revokes the active CLI token on the server and clears local credentials from the system keyring. If the server is unreachable, local credentials are still cleared.
ek logout
Show the currently authenticated user.Displays the name and email of the user associated with the current session. If not logged in or the session has expired, you will be prompted to run ek login.
ek whoami
Link the current git repository to an Enkryptify workspace, project and environment.The configuration is saved to ~/.enkryptify/config.json and associated with the current directory path.
ek configure
# OR
ek setup
Import secrets from a .env file into Enkryptify. This is the upload half of every import workflow: pull your environment into a .env file, then upload it with one command.
ek import [file]
Arguments:
  • file (optional): path to any dotenv file. Defaults to .env in the current directory. Pass another name such as .env.production or config/.env.staging to import a different file.
What it does:
  • Reads and parses the file. It understands KEY=value lines, an optional export prefix, # comments and quoted values (single, double and multi-line).
  • Prompts you to choose the target workspace, project and environment. When only one option exists it is selected automatically. You can also create a new project or environment inline.
  • Uploads the parsed secrets to the selected environment.
  • Asks whether to delete the source file once the import succeeds, so no plaintext copy is left behind.
You must be logged in with ek login first.
ek import                 # Import ./.env (the default)
ek import .env.production  # Import a specific file
ek import config/.env      # Import a file in another directory
Pair ek import with your provider’s CLI to move secrets from Vercel, 1Password or AWS Secrets Manager. See Import secrets.
Run a command with secrets from Enkryptify injected as environment variables.This fetches secrets for your configured workspace, project and environment, then executes the provided command with those secrets available as env vars.Arguments:
  • cmd: command and arguments to run
Options:
  • -e, --env <environmentName>: environment name to use (overrides default from config)
  • -p, --project <projectName>: project name to use (overrides default from config; requires --env)
  • --skip-cache: skip local cache and always fetch fresh secrets from the API
  • --offline: use cached secrets without making an API call
--skip-cache and --offline are mutually exclusive.
Note: Use -- to separate ek run from the command you want to execute.
ek run -- <command>
Examples:
ek run -- npm start                            # Run npm start with secrets
ek run -- pnpm run dev                         # Run pnpm dev with secrets
ek run -- python app.py                        # Run Python app with secrets
ek run -- docker-compose up                    # Run docker-compose with secrets
ek run -e staging -- npm start                 # Override environment
ek run -p backend -e production -- npm start   # Override project and environment
ek run --skip-cache -- npm start               # Force fresh secrets
ek run --offline -- npm start                  # Use cached secrets only
Replace all ${VARIABLES} in a file with the corresponding secrets from Enkryptify.
ek run-file --file <file>
Options:
  • -f, --file <path>: path to the file to process (required)
  • -e, --env <environmentName>: environment name to use (overrides default from config)
  • --skip-cache: skip local cache and always fetch fresh secrets from the API
  • --offline: use cached secrets without making an API call
--skip-cache and --offline are mutually exclusive.
Usage:
sam deploy --config-file <(ek run-file --file samconfig.toml)
node index.js --file <(ek run-file --file data.json)
Examples of files to replace variables in:
[default]
region = "${AWS_REGION}"
stack_name = "${STACK_NAME}"
s3_bucket = "${AWS_S3_BUCKET}"
s3_prefix = "${AWS_S3_PREFIX}"
s3_key = "${AWS_ACCESS_KEY_ID}"
s3_secret = "${AWS_SECRET_ACCESS_KEY}"
s3_session_token = "${AWS_SESSION_TOKEN}"
s3_region = "${AWS_REGION}"

{
  "databaseUrl": "${DATABASE_URL}",
  "sessionToken": "${SESSION_TOKEN}"
}
Run a command with a read-only Enkryptify SDK token injected as the ENKRYPTIFY_TOKEN environment variable.The token is scoped to the configured workspace, project and environment and is valid for 8 hours. This is useful for running applications that use the Enkryptify SDK to fetch secrets at runtime instead of having all secrets injected as environment variables.Note: Use -- to separate ek sdk from the command you want to execute.
ek sdk -- <command>
Examples:
ek sdk -- npm start       # Run npm start with SDK token
ek sdk -- python app.py   # Run Python app with SDK token
Upgrade the Enkryptify CLI to the latest version. The command auto-detects the original install method (Homebrew, Scoop or binary) and upgrades accordingly.
ek upgrade
Options:
  • -f, --force: force upgrade even if already on the latest version
ek upgrade --force

Secret Management

The ek secret commands are deprecated and may be removed in a future release. Manage secrets through the Enkryptify dashboard instead.
All secret operations are subcommands of ek secret. 
ek secret [subcommand]
Create a new secret in the current environment.
ek secret create <name> [value]
Arguments:
  • name: secret key (A-Z, a-z, 0-9, underscore, hyphen)
  • value: secret value (use quotes for spaces or special characters)
ek secret create DATABASE_URL "postgresql://app:app@localhost:5432/enkryptify"
Expected result: the DATABASE_URL secret is created in the current environment.
Update a secret in the current environment.
ek secret update <name>
Arguments:
  • name: secret key to update
Options:
  • --ispersonal: make the secret personal (Enkryptify provider only)
ek secret update DATABASE_URL
Expected result: the DATABASE_URL secret is updated in the current environment.
Delete a secret from the current environment.
ek secret delete <name>
Arguments:
  • name: secret key to delete
ek secret delete DATABASE_URL
Expected result: the DATABASE_URL secret is removed from the current environment.
List secrets in the current environment.
ek secret list [options]
Options:
  • -s, --show: show secret values (defaults to masked)
ek secret list --show
Expected result: a table of secrets with values visible.

Secret Caching

Secrets fetched by ek run and ek run-file are cached in the system keyring with a 10-second TTL. This avoids redundant API calls when running commands in quick succession. Three caching modes are available:
  • Normal (default): fetches from cache if valid, otherwise calls the API
  • Skip cache (--skip-cache): always fetches fresh secrets from the API
  • Offline (--offline): uses cached secrets without any API call; fails if no cache exists
If an API call fails in normal mode, the CLI falls back to cached secrets when available.