CLI

Reference documentation for Rot’s CLI

Arguments

Arguments must be entered before commands.

`-c [path]`

Path to the JSON/Jsonnet configuration file.

`-f [format]`

Set log format (human, kv, raw, default: human).

`-l [level]`

Set minimum log level (none, debug, info, error, default: info).

`-n`

Disable colored log output.

`-p`

Disable paging via less.

`-x [key=value]`

Set config key=value (can be provided multiple times)

Commands

`alg`

Show algorithms Rot understands

`autocomplete`

Adds autocomplete for Rot commands into your terminal:

$ source <(rot autocomplete)

`base64`

Import and export base64 strings in various encodings. See command line for specific usage.

`config`

Show the rendered config from all sources (file, environment variables, and command line arguments).

`decrypt`

Perform ad-hoc decryption of a value.

`decrypt-keys`

A convenience command to decrypt and source all encrypted keys to avoid typing them in constantly. Best used within scripts.

`edit`

Interactively edit a Keyring’s values in an editor like VSCode or vi. Values will be displayed, decrypted, in Jsonnet, and any changes (add/change/delete) will be committed to the keyring upon saving.

`encrypt`

Encrypt a value and print it to stdout without adding it to the config. Can specify a recipient key to use asymmetric encryption.

`eula`

View the Rot End User License Agreement (EULA).

`hash-new`

Generate a hash of a file or string.

`hash-ver`

Verify the hash of a file or string. Will return an error/exit non-zero if the hash doesn’t match, otherwise silently exits 0 on success.

`init`

Initialize a new Rot configuration. See Initialize Rot for more information.

`jq`

Query JSON from stdin using jq. Supports standard JQ queries, and the -r flag to render raw values.

`jwt-dis`

Show the contents of a JWT and optionally verify it against a public key.

`jwt-new`

Generate JSON Web Tokens (JWTs). Visit Generate JWTs for more information.

`key-add-prv`

Add an existing Decrypt Key to a Keyring. See Manage Keys for more information.

`key-add-pub`

Add a new or existing key to Decrypt Keys. See Manage Keys for more information.

`key-del-prv`

Remove a Decrypt Key from a Keyring. See Manage Keys for more information.

`key-del-pub`

Remove a Decrypt Key from Rot. See Manage Keys for more information.

`key-dis`

Show the details of a decryptKey.

`key-dis-pub`

Display the public key of a private key.

`key-lst`

List decryptKeys in a configuration.

`key-new`

Generate ad-hoc cryptographic keys.

`keyring-add`

Add a new or modify an existing Keyring. See Manage Keyrings for more information. Generate and add a private key to a configuration with the specified name.

`keyring-del`

Remove a Keyring from Rot. See Manage Keyrings for more information.

`keyring-lst`

Show the names of keyrings in the configuration.

`keyring-rekey`

Rekey a Keyring configuration. See Manage Keyrings for more information.

`lic-add`

Add or replace the Rot license key.

`pem`

Convert a Rot key to PEM or a PEM key to Rot. Can specify an ID for the key when converting from PEM to Rot.

`run`

Run a command and inject secrets into it via environment variables. See Run Commands for more information. By default, any Value written to stderr/stdout will be masked with ***. Values can be unmasked using the unmask config.

`sig-new`

Generate signatures. Visit Generate Signatures for more information.

`sig-ver`

Verify the signature of a message and public key. Will return an error/exit non-zero if the signature doesn’t match, otherwise silently exits 0 on success.

`ssh-dis`

Convert a Rot key to SSH or a SSH key to Rot.

`ssh-new`

Generate SSH certificates. Visit Generate SSH for more information.

`val-add`

Add a value to a configuration. Can specify an optional length to have Rot randomly generate a value instead of prompting for it. See Manage Values for more information.

`val-add-prv`

Generate and add a private key to a configuration with the specified name.

`val-cpy`

Copy a value between Keyrings, optionally providing a new name and comment for it. This command can also be used for moving Values.

`val-del`

Remove a value from a Rot configuration. See Manage Values for more information.

`val-dis`

Show a decrypted value from the Rot configuration. See Manage Values for more information.

`val-lst`

Show the names of values in a Keyring.

`val-set-meta`

Modify metadata for an existing Value.

`version`

Print the current version of Rot.

`x509-dis`

Show the contents of an X.509 certificate and optionally verify it against a CA certificate.

`x509-new`

Generate X.509 certificates. Visit Generate Certificates for more information.