Load encrypted environment variables at runtime, and manage environments.
Last updated a month ago by lrrrgg .
GPL-3.0-only · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install keys-cli 
SYNC missed versions from official npm registry.

keys - client

This is the keys core client, which can be installed with npm and provides the keys command line utility. is a repository that stores encrypted blobs of environment variables. You can store variable sets for your software in the repository, and fetch-decrypt-load them at runtime. This prevents your sensitive environment variables like API access keys from ever having to sit in plain text files on your systems and developer machines.

The repository functions similarly to modern password managers, and does not have access to your environment variables, they are decrypted locally after you fetch the blob. Don't lose your password!


You should have an account at if you want to interact with the repository.

Linux Build Dependencies

Before npm install, you may have to install python2 and libsecret

sudo apt-get install libsecret-1-dev # Debian/Ubuntu
sudo yum install libsecret-devel # Red Hat-based
sudo pacman -S libsecret # Arch Linux


Install the package with npm. This will provide a new command in your shell, called keys

npm install -g keys-cli


Just prefix any command you want to run with keys. Environment variables will be downloaded, decrypted, and your command will be executed, now having access to them.

$ keys ./ -a 1 -b 2
keys 2.5.0
Loaded credentials from keychain
AuthSuccess for
DEV                        TEST               PROD
[1] goolybib-dev           [5] goolybib-test  [7] optimoji-prod
[2] microservice-prototype [6] sliceline-test [8] sliceline-prod
[3] optimoji-dev
[4] sliceline-dev
Load Environment #: 2
Executing: ./ -a 1 -b 2 # process now has access to AWS_SECRET_ACCESS_KEY
$ keys java -jar mything.jar
$ keys gunicorn app:app
$ keys bin/rails server -e production -p 4000


-e | --environment environment-name Specifies the environment to load, skipping the prompt which asks for it.

-v | --verbose Enable verbose mode, printing debugging messages about what is going on.

-c | --clean By default, keys will append environment variables to your current shell environment before running your command. This flag will run your command with only the variables from the selected environment.

-l | --local Load encrypted data from local cache (at ~/.keys/cache.json) instead of logging into the remote repository. In normal mode this cache is used as a fallback in case the remote repository is inaccessible.

-s | --source [platform] Load environments from platform instead of

keys -s heroku command # run command, using an environment from a heroku app

-d | --destination [platform] Specify a destination platform to push the source environment to. You will be prompted to select both the source and destination environments.

keys -d heroku # copy environment from to a Heroku app
keys -s heroku -d pivotal # copy an environment from a Heroku app to a Pivotal Cloud Foundry app

-i | --import Pipe lines of variables key=value into stdin to import variables to an environment specified by -e. This will overwrite the environment

echo "VAR1=ABC\nVAR2=DEF" | keys -i -e myenv
heroku config -s | keys -i -e myenv

-t | --token specifies that the KEYS_TOKEN variable in the local environment should be read for an access token for a specific environment. This will bypass normal username/password authentication.

KEYS_TOKEN=abc123 keys -t command

--reset Reset credentials and settings from ~/.keys/settings.json

Access Tokens

Sometimes you need to execute things non-interactively. Create an access token for a specific environment at and use that instead of username/password. This is less secure than interactive authentication, but the server/container state, IP address, and other system data are used to detect suspicious circumstances and deny access and/or notify you appropriately.

$ keys -t env_access_token ./ -myoption myvalue

...or in the local environment:

$ KEYS_TOKEN=env_access_token keys -t ./ -myoption myvalue


This project is licensed under the GNU General Public License v3.0

Current Tags

  • 2.5.0                                ...           latest (a month ago)

17 Versions

  • 2.5.0                                ...           a month ago
  • 2.4.3                                ...           a month ago
  • 2.4.2 [deprecated]           ...           a month ago
  • 2.4.1 [deprecated]           ...           a month ago
  • 2.3.1 [deprecated]           ...           a month ago
  • 2.3.0 [deprecated]           ...           2 months ago
  • 2.2.9 [deprecated]           ...           3 months ago
  • 2.2.8 [deprecated]           ...           3 months ago
  • 2.2.7 [deprecated]           ...           3 months ago
  • 2.2.6 [deprecated]           ...           8 months ago
  • 2.2.5 [deprecated]           ...           10 months ago
  • 2.2.4 [deprecated]           ...           a year ago
  • 2.2.3 [deprecated]           ...           a year ago
  • 2.2.1 [deprecated]           ...           a year ago
  • 2.2.0 [deprecated]           ...           a year ago
  • 2.1.9 [deprecated]           ...           a year ago
  • 2.1.8 [deprecated]           ...           a year ago
Maintainers (1)
Today 0
This Week 0
This Month 0
Last Day 0
Last Week 0
Last Month 54
Dependencies (18)
Dev Dependencies (2)
Dependents (0)

Copyright 2014 - 2016 © |