Access SSH keys, API tokens and passwords from the command line. Use in deploy scripts, Makefiles and CI pipelines. All decryption is local — the server never sees plaintext.
Authenticate and derive your vault key locally. The server never sees the derived key — it stays in ~/.sealedkeys/session.json.
$ sealedkeys login
Email: alice@acme.com
Master password: ●●●●●●●●●●●●
› Deriving vault key — this takes a few seconds…
✓ Logged in as alice@acme.comSee all items at a glance. Filter by type to find exactly what you need.
$ sealedkeys list --type API_KEY
Name Type Updated
──────────────────────────────────────────────
GitHub Personal Token api-key 2d ago
Stripe Live Key api-key 5d ago
AWS Access Key api-key 1w ago
──────────────────────────────────────────────
3 itemsDecrypt and display any vault item. Sensitive fields are masked by default.
$ sealedkeys get "GitHub Personal Token"
GitHub Personal Token api-key
Key Name: github-prod
API Key: ghp_xxxx●●●●●●●●
Environment: production
› Use --field <name> --raw to output a value for scripting.
› Sensitive fields: apiKeyOutput raw values for piping. No password manager browser plugin required in your CI environment.
# Export a secret as an environment variable
export STRIPE_KEY=$(sealedkeys get "Stripe Live Key" --field apiKey --raw)
# Pass an SSH key to ssh-add
sealedkeys get "Deploy Key" --field sshPrivateKey --raw | ssh-add -
# Use in a Makefile
deploy:
@export DB_PASS=$$(sealedkeys get "Postgres Prod" --field password --raw) && \
./deploy.shThe CLI follows the same zero-knowledge architecture as the web app. Your master password never leaves your machine.
Your master password never leaves your machine. The CLI runs 600,000 iterations of PBKDF2-SHA256 locally to derive a 256-bit AES key — identical to what the browser does. The derived key is stored in ~/.sealedkeys/session.json (chmod 600).
A signed JWT (30-day expiry) is issued on login. The CLI uses this token to fetch encrypted vault data from the API. The server validates the token but never has access to your vault key or plaintext.
Vault items are encrypted with AES-256-GCM. The CLI decrypts them locally using your cached vault key. When you run `sealedkeys get`, the plaintext is only ever in your terminal's memory.
npm install -g @sealedkeys/clinpx @sealedkeys/cli loginUse environment variables for non-interactive authentication in GitHub Actions, GitLab CI, or other pipelines.
- name: Fetch secrets from SealedKeys
env:
SEALEDKEYS_EMAIL: ${{ secrets.SEALEDKEYS_EMAIL }}
SEALEDKEYS_PASSWORD: ${{ secrets.SEALEDKEYS_PASSWORD }}
run: |
npm install -g @sealedkeys/cli
sealedkeys login
export STRIPE_KEY=$(sealedkeys get "Stripe Prod" --field apiKey --raw)
export DB_PASSWORD=$(sealedkeys get "Postgres Prod" --field password --raw)Store SEALEDKEYS_EMAIL and SEALEDKEYS_PASSWORD as encrypted secrets in your CI provider. The derived vault key is discarded when the runner exits.
On login, the CLI stores your vault key (not your master password) in ~/.sealedkeys/session.json with permissions 0600. This file can decrypt your vault — treat it like an SSH private key. Run sealedkeys logout to remove it when you're done, especially on shared machines.
Free account — 25 vault items, no credit card. Install the CLI and you're done in two minutes.