Locker Secrets features a command-line interface (CLI) that wraps common functionality and formats output. The Locker Secrets CLI is a single static binary. It is a wrapper around the HTTP API.

Locker Secrets CLI can be downloaded with the following links:

There are two types of encrypted data: secret and environment, with each secret belonging to a specific environment (by default the special environment All). The data follows these two rules to enforce uniqueness:

Each command is represented as a command or subcommand, and there are a number of command and subcommand options available: HTTP options, output options, and command-specific options.

Construct your Locker Secrets CLI command such that the command options precede its path and arguments if any:

locker <command> <subcommands> [flags]

Normally, a Locker Secrets command or subcommand must be supplied with the access key’s ID and secret through two flags:

locker secret list --access-key-id {id} --access-key-secret {secret}

But, if either the environment variables LOCKER_ACCESS_KEY_ID and LOCKER_ACCESS_KEY_SECRET are set or the credential data are initialized either manually or by the configuration command, Locker Secrets will use those instead.

locker secret list // no access key flags required

If more than one credential is present, Locker Secrets will prioritize them by this order: command line flags → credential file → environment variables.

Set the access key’s details to the credential file.

locker configuration --access-key-id {id} --secret-access-key {secret key}

There will be an input prompt for either flag that is not provided.

If there is an old access key ID and secret in the credential file, there will be a confirmation prompt to overwrite them.

Perform Read and Write actions on encrypted secrets.

locker secret <subcommands> [flags]

Perform Read and Write actions on encrypted environments.

locker environment <subcommands> [flags]

Available on secret and environment commands.

Optional flag:

--environment (secret only): specify the associated environment of the secrets to decrypt, default to null (which represents the All environment) if not provided.

list retrieves and decrypts all secret/environment items from the server.

locker secret list --access-key-id {id} --secret-access-key {secret key} [additional flags]

locker environment list --access-key-id {id} --secret-access-key {secret key} [additional flags]

Available on secret and environment commands.

get retrieves and decrypts one specific secret/environment item from the server.

Required flag:

--key (for secret) or --name (for environment): specify the key/name of the item to decrypt.

Optional flag:

--environment (secret only): specify the associated environment of the secret to decrypt, default to null (which represents the All environment) if not provided.

locker secret get --access-key-id {id} --secret-access-key {secret key} --key {secret's key} --environment {secret's environment} [additional flags]

locker environment get --access-key-id {id} --secret-access-key {secret key} --name {environment's name} [additional flags]

Available on secret and environment commands.

create takes input data and generates its encrypted version on Locker Secret’s server.

Required flag:

--key, --value (for secret): the key-value pair of secret.

--name (for environment): environment’s name.

Optional flag:

--description: item’s description.

--url: environment’s external URL.

--environment (for secret) specify which environment the secret belongs to.

secret create completed command:

locker secret create --access-key-id {id} --secret-access-key {secret key} --key secret_1 --value secret_2 --description "this is secret data" --environment prod [additional flags]

Note: the --key and --value flags are required.

environment create completed command:

locker environment create --access-key-id {id} --secret-access-key {secret key} --name env_1 --url env_2	--description "this is env data" [additional flags]

Note: the --name flag is required.

Available on secret and environment commands.

update modifies a secret or environment item’s data by the provided input.

Required flag:

--key (for secret),--name (for environment): specify the targeted item to update.

At least one of the following flags:

--new-key, --new-value, --new-description, --new-environment (for secret), --new-name, --new-url, --new-description (for environment): specify explicitly the field to modify. The environment name passed into --new-environment must exist.

Optional flag:

--environment (secret only): specify the associated environment of the secret to update, default to null (which represents the All environment) if not provided.

The --new-* flags must be explicitly passed for each field to be modified.

For example, the following secret update command updates the key, value, description and environment of a secret item:

locker secret update --access-key-id {id} --secret-access-key {secret key} --key old_secret_1 --environment old_environment_1  --data --new-key new_secret_1 --new-value new_secret_2 --new-description "this is new secret data" --new-environment new_environment_1 [additional flags]

while this command updates only the key:

locker secret update --access-key-id {id} --secret-access-key {secret key} --key old_secret_1 --environment old_environment_1  --data --new-key new_secret_1 [additional flags]

Note: the key and one of the --new-* flags are required.

environment update completed command:

locker environment update --access-key-id {id} --secret-access-key {secret key} --name old_env_1 --new-name new_env_1 --new-url new_env_2 --new-description "this is new env data" [additional flags]

Note: the name and one of the --new-* flags are required.