key

Secret Manager · macOS · CLI · Open Source

Secrets you control.
Native macOS Security.

key is a CLI secret and OTP manager — each item is stored as its own encrypted file on disk, named, organized, and backed up however you want. The vault key lives in your Keychain, released through macOS user presence authentication — Apple Watch, Touch ID, or your system password.

View on GitHub
Terminal

The difference

Each secret is its own file

Not hidden inside an app. Inspired by pass, every secret is a real file on your disk — organize it in folders, back it up like any other file, move it to a new machine. The structure is transparent and yours.

You're never locked in

The encrypted files are on your disk. The vault key is in your Keychain. Both are yours. key uses standard AES-256-GCM — meaning you can decrypt any secret yourself, without the app, using any standard crypto tool.

Generate passwords your way

key has no built-in password generator — no default recipe for length, symbols, or entropy. Adding and editing are stdin-first: pipe in openssl, pwgen, diceware, uuidgen, xkcdpass, or any tool you trust. You decide what strong looks like.

Install & CLI reference

How to install Key and its helper with Homebrew, then the commands and flags you use day to day.

Install

brew tap tvanreenen/tap
brew install --cask key

If you manage installs with a Brewfile, add the tap and cask there as well: 

tap "tvanreenen/tap"
cask "key"

Open Key.app once so the Key Agent can register with macOS.

Commands

Usage

key <command> [arguments]

Commands

get <name>
Print a secret or TOTP code.
copy <name>
Copy a secret or TOTP code.
add [--totp] <name>
Add a secret from stdin or prompt.
edit [--totp] <name>
Update a secret from stdin or prompt.
duplicate <src> <dst> [--force]
Duplicate an entry.
rename <src> <dst> [--force]
Rename an entry.
remove <name> [--force]
Remove an entry.
list
List stored secrets.
unlock
Unlock the vault.
lock
Lock the vault.
config get <config-name>
Print a config setting.
config set <config-name> <value>
Update a config setting.
config list
List config settings.
version [--json]
Print the CLI version.
help
Show this help.

Options

--force
Skip overwrite or removal confirmation.
--json
Print version info as JSON.
--totp
Treat add/edit input as a Base32 TOTP seed.

Config names

vault-dir
Effective vault directory.

Built for the shell

Pipe in, pipe out, compose with whatever you already use.

Pipe in any generator

openssl rand -base64 32 | key add aws/prod/token
pwgen -sy 24 1 | key add github/personal
diceware -n 6 | key add backup/passphrase
uuidgen | key add app/deploy-token

Fuzzy pick with fzf

key get    "$(key list | fzf)"
key copy   "$(key list | fzf)"
key edit   "$(key list | fzf)"
key remove "$(key list | fzf)"

Inject into your dev environment

# .env.schema from https://varlock.dev/
DATABASE_URL=exec(`key get db/prod/url`)
API_TOKEN=exec(`key get services/stripe/key`)

varlock run -- npm start