Run Commands

How to run commands using Rot

In this guide, we’ll go over running commands with injected secrets via environment variables.

Run Process

After Rot has been initialized and populated with values, Rot can be used to wrap commands with secrets via environment variables.

The command to perform this is rot run. This command performs these actions:

  • Decrypt the existing Rot Private Key using the User Private Key.
  • Decrypt each value
  • Run the specified command with an environment variable set for each value within the specified path. The environment variable name will be the values name.
  • For each value with meta values, the Values will be set as environment variables using the Value’s name. Given this Value:
"TEST": {
  "meta": {
    "test1": "123",
    "test2": "456",

The following variables will be set (in addition to the TEST variable):


You can specify the path to look for values when using the run command:

$ rot run keyring1/path1,keyring2/path2 <command>

These paths accept regular expressions as well.