CLI

Reference documentation for Rot’s CLI

Arguments

Arguments must be entered before commands.

-c [path]

Path to the JSON/Jsonnet configuration file.

-f [format]

Set log format (human, kv, raw, default: human).

-l [level]

Set minimum log level (none, debug, info, error, default: info).

-n

Disable colored log output.

-p

Disable paging via less.

-x [key=value]

Set config key=value (can be provided multiple times)

Commands

alg

Show algorithms Rot understands

autocomplete

Adds autocomplete for Rot commands into your terminal:

$ source <(rot autocomplete)

base64

Import and export base64 strings in various encodings. See command line for specific usage.

config

Show the rendered config from all sources (file, environment variables, and command line arguments).

decrypt

Perform ad-hoc decryption of a value.

decrypt-keys

A convenience command to decrypt and source all encrypted keys to avoid typing them in constantly. Best used within scripts.

edit

Interactively edit a Keyring’s values in an editor like VSCode or vi. Values will be displayed, decrypted, in Jsonnet, and any changes (add/change/delete) will be committed to the keyring upon saving.

encrypt

Encrypt a value and print it to stdout without adding it to the config. Can specify a recipient key to use asymmetric encryption.

eula

View the Rot End User License Agreement (EULA).

init

Initialize a new Rot configuration. See Initialize Rot for more information.

jq

Query JSON from stdin using jq. Supports standard JQ queries, and the -r flag to render raw values.

jwt-dis

Show the contents of a JWT and optionally verify it against a public key.

jwt-new

Generate JSON Web Tokens (JWTs). Visit Generate JWTs for more information.

key-add-prv

Add an existing Decrypt Key to a Keyring. See Manage Keys for more information.

key-add-pub

Add a new or existing key to Decrypt Keys. See Manage Keys for more information.

key-del-prv

Remove a Decrypt Key from a Keyring. See Manage Keys for more information.

key-del-pub

Remove a Decrypt Key from Rot. See Manage Keys for more information.

key-dis

Show the details of a decryptKey.

key-dis-pub

Display the public key of a private key.

key-lst

List decryptKeys in a configuration.

key-new

Generate ad-hoc cryptographic keys.

keyring-add

Add a new or modify an existing Keyring. See Manage Keyrings for more information. Generate and add a private key to a configuration with the specified name.

keyring-del

Remove a Keyring from Rot. See Manage Keyrings for more information.

keyring-lst

Show the names of keyrings in the configuration.

keyring-rekey

Rekey a Keyring configuration. See Manage Keyrings for more information.

lic-add

Add or replace the Rot license key.

pem

Convert a Rot key to PEM or a PEM key to Rot. Can specify an ID for the key when converting from PEM to Rot.

run

Run a command and inject secrets into it via environment variables. See Run Commands for more information. By default, any Value written to stderr/stdout will be masked with ***. Values can be unmasked using the unmask config.

sig-new

Generate signatures. Visit Generate Signatures for more information.

sig-ver

Verify the signature of a message and public key. Will return an error/exit non-zero if the signature doesn’t match, otherwise silently exits 0 on success.

ssh-dis

Convert a Rot key to SSH or a SSH key to Rot.

ssh-new

Generate SSH certificates. Visit Generate SSH for more information.

val-add

Add a value to a configuration. Can specify an optional length to have Rot randomly generate a value instead of prompting for it. See Manage Values for more information.

val-add-prv

Generate and add a private key to a configuration with the specified name.

val-cpy

Copy a value between Keyrings, optionally providing a new name and comment for it. This command can also be used for moving Values.

val-del

Remove a value from a Rot configuration. See Manage Values for more information.

val-dis

Show a decrypted value from the Rot configuration. See Manage Values for more information.

val-lst

Show the names of values in a Keyring.

val-set-meta

Modify metadata for an existing Value.

version

Print the current version of Rot.

x509-dis

Show the contents of an X.509 certificate and optionally verify it against a CA certificate.

x509-new

Generate X.509 certificates. Visit Generate Certificates for more information.