keephippo

Command reference

Commands are grouped to mirror the CLI itself. Group commands (like kv or auth) are containers for the subcommands beneath them.

Server & operator

keephippo server

Runs the keephippo server: the long-lived process that stores your secrets. Use --dev for a throwaway in-memory server, or --config to point at an HCL/JSON config file for a real, file-backed, operator-unsealed server.

Command options
Flag Type Default Description
--dev bool false In-memory, auto-unsealed dev server (prints the root token; not for production).
--config string Path to an HCL/JSON config file (required unless --dev).

The config file declares a storage stanza (file/inmem), a listener, an optional ui = true, and an optional seal "transit" { … } auto-unseal stanza.

Typical use
$ keephippo server --config /etc/keephippo/config.hcl
==> keephippo server started (storage: file, listener: 127.0.0.1:8200)
The server is sealed. Run 'keephippo operator init', then 'keephippo operator unseal'.

keephippo operator

Groups the server lifecycle subcommands: init, unseal, and seal. You run these against a server you administer.

Command options

Inherits the global flags; the work is done by the subcommands below.

Typical use
$ keephippo operator init -key-shares=1 -key-threshold=1
$ keephippo operator unseal <unseal-key>

keephippo operator init

Initializes a brand-new server exactly once: it generates the barrier/root keys, splits the root key into unseal key shares, and prints those shares plus the initial root token. Save them somewhere safe — they are shown only once.

Command options
Flag Type Default Description
-key-shares int 5 Number of unseal key shares to generate.
-key-threshold int 3 Number of shares required to unseal.
Typical use
$ keephippo operator init -key-shares=1 -key-threshold=1
Unseal Key 1: def0a1fb…
Initial Root Token: kh.GhO9k0O9…

keephippo operator unseal

Submits one unseal key share. Repeat with distinct shares until the threshold is reached, at which point the server reconstructs the root key and becomes usable.

Command options

Takes the key share as its argument. With no argument it prompts for the key. Inherits the global flags.

Typical use
$ keephippo operator unseal def0a1fb…
Key                Value
---                -----
Sealed             false

keephippo operator seal

Re-seals a running server: it discards the in-memory root key so no secret can be read until the server is unsealed again. Requires a root (sudo) token.

Command options

No flags beyond the globals.

Typical use
$ keephippo operator seal
Success! keephippo is sealed.

keephippo status

Shows whether the server is initialized and sealed, the seal type and share counts, the version, and the storage backend. It works even against a sealed server, so it is the first thing to run when something looks wrong.

keephippo status

Command options

No flags beyond the globals. -format=json prints the raw seal-status envelope.

Typical use
$ keephippo status
Key             Value
---             -----
Sealed          false
Version         v0.2.0
Storage Type    inmem

keephippo version

Prints the version string (a git tag like v0.2.0, or a commit hash for development builds).

Command options

No flags.

Typical use
$ keephippo version
v0.2.0

keephippo info

Prints a fuller build summary: version, branch, commit, build time, and the Go toolchain/OS/arch. Handy in bug reports.

Command options

No flags.

Typical use
$ keephippo info
version:    v0.2.0
commit:     95c84d7

Session

keephippo login

Authenticates and stores the resulting token locally (~/.keephippo-token) so later commands don't need KEEPHIPPO_TOKEN. Log in with a raw token, or with -method=userpass / -method=approle to exchange credentials for a token.

Command options
Flag Type Default Description
--token string The token to store (token method).
--method string Auth method: userpass or approle.
--path string method name Mount path of the auth method.

For -method=userpass, pass username=… and password=… as arguments; for -method=approle, pass role_id=… and secret_id=….

Typical use
$ keephippo login -method=userpass username=alice password=s3cr3t
Success! You are now authenticated. The token has been stored and
will be used for future commands.

Generic paths

These four verbs operate on any /v1/* path directly — the lowest-level way to talk to any engine or system endpoint.

keephippo read

Reads data at a path and renders it. Equivalent to an HTTP GET. Add -format=json to see the full response envelope.

keephippo read -format=json

Command options

Global flags only. -format=json prints the raw envelope; -wrap-ttl wraps the response into a single-use token.

Typical use
$ keephippo read secret/data/myapp/db -format=json
{
  "data": { "password": "s3cr3t", "username": "admin" },
  "lease_duration": 0,
  "renewable": false
}

keephippo write

Writes key=value pairs (or a config change) to a path. Equivalent to an HTTP PUT/POST. Use - as a value source to read a value from stdin.

Command options

Takes PATH [KEY=VALUE...]. Global flags apply.

Typical use
$ keephippo write auth/approle/role/ci token_policies=deploy
Success! Data written to: auth/approle/role/ci

keephippo list

Lists the child keys under a path (an HTTP LIST). Trailing-slash entries are sub-paths you can list further.

Command options

Global flags only. Returns exit code 2 with "No value found" when empty.

Typical use
$ keephippo list secret/metadata/myapp
Keys
----
db

keephippo delete

Deletes the data at a path (an HTTP DELETE).

Command options

Global flags only.

Typical use
$ keephippo delete secret/data/myapp/db
Success! Data deleted (if it existed) at: secret/data/myapp/db

KV

The kv command is a convenience wrapper over the KV secrets engine. It detects whether a mount is v1 (unversioned) or v2 (versioned) and rewrites paths onto the data/ and metadata/ sub-paths automatically.

keephippo kv

Groups the KV subcommands: put, get, list, delete, plus the v2 verbs undelete, destroy, patch, rollback, and metadata.

Command options

Inherits the global flags; behaviour lives in the subcommands.

Typical use
$ keephippo kv put secret/hello greeting=world
$ keephippo kv get secret/hello

keephippo kv put

Writes one or more key=value pairs to a KV path — the everyday "save this secret here" command. On a v2 mount it creates a new version.

keephippo kv put

Command options
Flag Type Default Description
-cas int Check-and-set: only write if the current version matches (KV v2).
Typical use
$ keephippo kv put secret/myapp/db username=admin password=s3cr3t
Success! Data written to: secret/myapp/db

keephippo kv get

Reads a secret and prints its fields. On a v2 mount, -version reads a specific historical version and the metadata (version, timestamps) is shown alongside.

keephippo kv get

Command options
Flag Type Default Description
-version int latest Read a specific version (KV v2).
Typical use
$ keephippo kv get secret/myapp/db
Key                 Value
---                 -----
password            s3cr3t
username            admin

keephippo kv list

Lists the keys under a KV path (uses the metadata/ layout on v2 mounts).

Command options

Global flags only.

Typical use
$ keephippo kv list secret/myapp
Keys
----
db

keephippo kv delete

Deletes a secret. On a v2 mount this is a soft delete (the version can be undeleted); pass -versions to soft-delete specific versions.

Command options
Flag Type Default Description
-versions list latest Comma-separated versions to soft-delete (KV v2).
Typical use
$ keephippo kv delete -versions=2 secret/myapp/db
Success! Data deleted (if it existed) at: secret/myapp/db

keephippo kv undelete

Restores soft-deleted versions of a v2 secret.

Command options
Flag Type Default Description
-versions list Comma-separated versions to restore (required).
Typical use
$ keephippo kv undelete -versions=2 secret/myapp/db

keephippo kv destroy

Permanently destroys specific versions of a v2 secret — the data is gone and cannot be undeleted.

Command options
Flag Type Default Description
-versions list Comma-separated versions to destroy (required).
Typical use
$ keephippo kv destroy -versions=1 secret/myapp/db

keephippo kv patch

Updates individual fields of the latest v2 version without replacing the whole secret (a read-modify-write that keeps the other keys).

Command options

Takes PATH KEY=VALUE.... KV v2 only.

Typical use
$ keephippo kv patch secret/myapp/db password=rotated

keephippo kv rollback

Restores an older version as a new latest version (the contents of version N are written back as version N+1).

Command options
Flag Type Default Description
-version int The version to roll back to (required).
Typical use
$ keephippo kv rollback -version=1 secret/myapp/db

keephippo kv metadata

Groups the v2 metadata subcommands (get, put, delete) for a key's version history and tunables.

Command options

Inherits the global flags.

Typical use
$ keephippo kv metadata get secret/myapp/db

keephippo kv metadata get

Reads a key's metadata: current version, version history, max_versions, and cas_required.

Command options

Global flags only.

Typical use
$ keephippo kv metadata get secret/myapp/db
Key                 Value
---                 -----
current_version     2
max_versions        0

keephippo kv metadata put

Configures a key's metadata: the number of versions to keep and whether writes must use check-and-set.

Command options
Flag Type Default Description
-max-versions int Number of versions to keep.
-cas-required bool false Require check-and-set on writes.
Typical use
$ keephippo kv metadata put -max-versions=5 secret/myapp/db

keephippo kv metadata delete

Deletes a key and all of its versions and metadata (a hard delete of the whole key).

Command options

Global flags only.

Typical use
$ keephippo kv metadata delete secret/myapp/db

Engines & tuning

keephippo secrets

Groups the secrets-engine management subcommands: enable, disable, list, move, and tune.

Command options

Inherits the global flags.

Typical use
$ keephippo secrets list

keephippo secrets enable

Mounts a secrets engine at a path. Supported types: kv, transit, totp. Use -version=2 to enable versioned KV.

Command options
Flag Type Default Description
-path string type name Path to mount the engine at.
-version int 1 KV engine version (2 for versioned KV).
Typical use
$ keephippo secrets enable -path=secret -version=2 kv
Success! Enabled the kv secrets engine at: secret/

keephippo secrets disable

Unmounts a secrets engine and clears its data.

Command options

Global flags only.

Typical use
$ keephippo secrets disable secret
Success! Disabled the secrets engine (if it existed) at: secret/

keephippo secrets list

Lists the enabled secrets engines and their types.

keephippo secrets list

Command options

Global flags only.

Typical use
$ keephippo secrets list
Path            Type
----            ----
secret/         kv
transit/        transit

keephippo secrets move

Moves a secrets engine to a new mount path, preserving its data (which is keyed by the mount's UUID, not its path).

Command options

Takes SOURCE DEST. Global flags apply.

Typical use
$ keephippo secrets move secret kv
Success! Moved secrets engine secret/ to: kv/

keephippo secrets tune

Reads or updates a mount's tunable configuration (e.g. description, KV options).

Command options

Takes PATH [KEY=VALUE...]; with no pairs it reads the current config.

Typical use
$ keephippo secrets tune secret

Auth

keephippo auth

Groups the auth-method management subcommands: enable, disable, list. keephippo ships token (built-in), userpass, approle, and cert.

Command options

Inherits the global flags.

Typical use
$ keephippo auth list

keephippo auth enable

Mounts an auth method under auth/. After enabling, configure users/roles/certs with keephippo write auth/<path>/….

Command options
Flag Type Default Description
-path string type name Path to mount the auth method at.
Typical use
$ keephippo auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ keephippo write auth/userpass/users/alice password=s3cr3t token_policies=app

keephippo auth disable

Disables an auth method and clears its data.

Command options

Global flags only.

Typical use
$ keephippo auth disable userpass

keephippo auth list

Lists the enabled auth methods (always including the built-in token/).

Command options

Global flags only.

Typical use
$ keephippo auth list
Path            Type
----            ----
token/          token
userpass/       userpass

Policies

keephippo policy

Groups the ACL policy subcommands: read, write, list, delete. Policies are HCL that grant capabilities on path patterns.

Command options

Inherits the global flags.

Typical use
$ keephippo policy list

keephippo policy write

Creates or updates a named policy from an HCL file, an inline string, or stdin (-).

Command options

Takes NAME PATH-OR-"-". Reading from - consumes the policy HCL from stdin.

Typical use
$ keephippo policy write app - <<'EOF'
path "secret/data/myapp/*" {
  capabilities = ["read", "list"]
}
EOF
Success! Uploaded policy: app

keephippo policy read

Prints a policy's HCL source.

Command options

Global flags only.

Typical use
$ keephippo policy read app
path "secret/data/myapp/*" {
  capabilities = ["read", "list"]
}

keephippo policy list

Lists the policy names (always including root and default).

Command options

Global flags only.

Typical use
$ keephippo policy list
Keys
----
app
default
root

keephippo policy delete

Deletes a policy. The built-in root and default policies cannot be deleted.

Command options

Global flags only.

Typical use
$ keephippo policy delete app
Success! Deleted policy: app

Tokens

keephippo token

Groups the token subcommands: create, lookup, renew, revoke, and capabilities.

Command options

Inherits the global flags.

Typical use
$ keephippo token create -policy=app -ttl=1h

keephippo token create

Mints a new token with a set of policies and a TTL. The parent token must be allowed to grant what it hands out (only a root token can create root tokens).

keephippo token create

Command options
Flag Type Default Description
-policy list Policy to attach (repeatable).
-ttl duration system default Token lifetime.
-num-uses int unlimited Limit the token to this many uses.
-display-name string A human label recorded on the token.
-no-default-policy bool false Don't attach the default policy.
Typical use
$ keephippo token create -policy=app -ttl=1h
Key                 Value
---                 -----
token               kh.W4Flu8ab…
token_policies      [default app]

keephippo token lookup

Shows a token's metadata: its policies, remaining TTL, accessor, and (if any) its identity entity.

Command options

Takes an optional token argument; with none it looks up your own token.

Typical use
$ keephippo token lookup
Key                 Value
---                 -----
policies            [root]
ttl                 0

keephippo token renew

Extends a renewable token's TTL, up to its maximum.

Command options

Takes the token and an optional -increment. Global flags apply.

Typical use
$ keephippo token renew -increment=1h kh.W4Flu8ab…

keephippo token revoke

Revokes a token immediately, destroying it and its cubbyhole.

Command options

Takes the token to revoke. Global flags apply.

Typical use
$ keephippo token revoke kh.W4Flu8ab…
Success! Revoked token

keephippo token capabilities

Reports which capabilities a token has on a given path — the quick way to answer "can this token read that secret?".

Command options

Takes [TOKEN] PATH; with only a path it checks your own token.

Typical use
$ keephippo token capabilities secret/data/myapp/db
read, list

Leases

keephippo lease

Groups the lease subcommands: lookup, renew, revoke. Leases back tokens (and, in future, dynamic secrets); the server auto-revokes them on expiry.

Command options

Inherits the global flags.

Typical use
$ keephippo lease lookup auth/token/create/<id>

keephippo lease lookup

Shows a lease's metadata: issue time, expiry, and remaining TTL.

Command options

Takes the lease ID. Global flags apply.

Typical use
$ keephippo lease lookup auth/token/create/abc123
Key                 Value
---                 -----
ttl                 3540
renewable           true

keephippo lease renew

Extends a lease (and the token behind it), capped by its maximum TTL.

Command options
Flag Type Default Description
-increment duration Requested extension (e.g. 1h).
Typical use
$ keephippo lease renew -increment=1h auth/token/create/abc123

keephippo lease revoke

Revokes a lease now. With -prefix, revokes every lease under a prefix at once (a sudo operation).

Command options
Flag Type Default Description
-prefix bool false Treat the argument as a prefix and revoke all matches.
Typical use
$ keephippo lease revoke -prefix auth/token/create/
Success! Revoked all leases under prefix: auth/token/create/

Transit

The transit command is a thin convenience wrapper over the transit engine (encryption-as-a-service); it base64-encodes plaintext for you. You can also drive transit with the generic write/read commands.

keephippo transit

Groups the transit subcommands: key, encrypt, decrypt, rewrap.

Command options
Flag Type Default Description
--mount string transit Transit mount path.
Typical use
$ keephippo transit key create app
$ keephippo transit encrypt app "launch codes"

keephippo transit key

Groups the key-management subcommands: create, read, rotate.

Command options

Inherits --mount.

Typical use
$ keephippo transit key read app

keephippo transit key create

Creates a named encryption key. The default type is aes256-gcm96; other types are chacha20-poly1305 (encryption) and ed25519 / ecdsa-p256 (signing).

Command options
Flag Type Default Description
-type string aes256-gcm96 Key type.
Typical use
$ keephippo transit key create app

keephippo transit key read

Reads a key's metadata: type, latest version, and (for signing keys) the public keys. The secret key material never leaves the server.

Command options

Inherits --mount.

Typical use
$ keephippo transit key read app
Key                 Value
---                 -----
type                aes256-gcm96
latest_version      1

keephippo transit key rotate

Adds a new version to a key. New encryptions use the new version; old ciphertext still decrypts until you raise min_decryption_version.

Command options

Inherits --mount.

Typical use
$ keephippo transit key rotate app

keephippo transit encrypt

Encrypts plaintext with a named key and prints the versioned ciphertext (vault:v1:…). The CLI base64-encodes the plaintext for you.

keephippo transit

Command options

Takes NAME PLAINTEXT. Inherits --mount.

Typical use
$ keephippo transit encrypt app "launch codes"
vault:v1:P7YuX/G0dInbZTwQOjAYWAVGgq44…

keephippo transit decrypt

Decrypts a vault:v… ciphertext with a named key and prints the recovered plaintext.

Command options

Takes NAME CIPHERTEXT. Inherits --mount.

Typical use
$ keephippo transit decrypt app vault:v1:P7YuX/G0dInbZTwQ…
launch codes

keephippo transit rewrap

Re-encrypts a ciphertext with the key's latest version — how you upgrade old ciphertext after a key rotation without ever seeing the plaintext.

Command options

Takes NAME CIPHERTEXT. Inherits --mount.

Typical use
$ keephippo transit rewrap app vault:v1:P7YuX/G0dInbZTwQ…
vault:v2:9aRk2…

Audit & wrapping

keephippo audit

Groups the audit-device subcommands: enable, disable, list. Audit devices record every request with sensitive fields HMAC-obscured, and are fail-closed.

Command options

Inherits the global flags.

Typical use
$ keephippo audit list

keephippo audit enable

Enables an audit device. The file device appends JSON lines to a path; the syslog device writes to the local syslog. Pass device options as key=value.

Command options
Flag Type Default Description
-path string type name Path for the audit device.

Extra key=value arguments become device options (e.g. file_path=…).

Typical use
$ keephippo audit enable file file_path=/var/log/keephippo/audit.log
Success! Enabled the file audit device at: file/

keephippo audit disable

Disables an audit device.

Command options

Global flags only.

Typical use
$ keephippo audit disable file

keephippo audit list

Lists the enabled audit devices and their options.

Command options

Global flags only.

Typical use
$ keephippo audit list
Path            Type
----            ----
file/           file

keephippo unwrap

Unwraps a response-wrapping token, returning the original data. Response wrapping (request a wrap with the global -wrap-ttl flag) hides a secret behind a single-use token; unwrap reveals it exactly once.

keephippo unwrap

Command options

Takes an optional wrapping-token argument; with none, the stored/authenticated token is treated as the wrapping token.

Typical use
$ keephippo -wrap-ttl=120s read secret/myapp/db
Key                    Value
---                    -----
wrapping_token         kh.idgsb4_fI2SNaY…
wrapping_token_ttl     120
$ keephippo unwrap kh.idgsb4_fI2SNaY…
Key                 Value
---                 -----
password            s3cr3t
username            admin