key

Secret Manager · macOS · CLI · Open Source

Secrets you control.
Native macOS Security.

key is a CLI secret manager — each secret stored as its own encrypted file on your disk, named, organized, and backed up however you want. The vault key lives in your Keychain, released through macOS user presence authentication — Apple Watch, Touch ID, or your system password.

View on GitHub
Terminal

The difference

Each secret is its own file

Not hidden inside an app. Every secret is a real file on your disk — organize it in folders, back it up like any other file, move it to a new machine. The structure is transparent and yours.

You're never locked in

The encrypted files are on your disk. The vault key is in your Keychain. Both are yours. key uses standard AES-256-GCM — meaning you can decrypt any secret yourself, without the app, using any standard crypto tool.

Generate passwords your way

key has no built-in password generator — no default recipe for length, symbols, or entropy. Adding and editing are stdin-first: pipe in openssl, pwgen, diceware, or any tool you trust. You decide what strong looks like.

Built for the shell

Pipe in, pipe out, compose with whatever you already use.

Pipe in any generator

openssl rand -base64 32 | key add aws/prod/token
pwgen -sy 24 1 | key add github/personal
diceware -n 6 | key add backup/passphrase
uuidgen | key add app/deploy-token

Fuzzy pick with fzf

key get    "$(key list | fzf)"
key copy   "$(key list | fzf)"
key edit   "$(key list | fzf)"
key remove "$(key list | fzf)"

Inject into your dev environment

# .env.schema
DATABASE_URL=exec(`key get db/prod/url`)
API_TOKEN=exec(`key get services/stripe/key`)

varlock run -- npm start

Commands

Usage

key <command> [arguments]

Commands

get <name>
Print a secret.
copy <name>
Copy a secret to the clipboard.
add <name>
Add a new secret from stdin or prompt.
edit <name>
Update a secret from stdin or prompt.
duplicate <src> <dst> [--force]
Duplicate an entry.
rename <src> <dst> [--force]
Rename an entry.
remove <name> [--force]
Remove a secret.
list
List stored secrets.
unlock
Warm the helper session.
lock
Clear the helper session and stop the helper.
version [--json]
Print the CLI version.
help
Show this help.

Options

--force
Skip overwrite or removal confirmation.
--json
Print version info as JSON.

Install

Early development — follow the repo for releases.

brew tap tvanreenen/tap
brew install --cask key

Open Key.app once so the Key Agent can register with macOS.