keys.cm is a repository that stores encrypted blobs of environment variables.

You can store variable sets for your software in the repository, and fetch-decrypt-load them at runtime. This prevents your sensitive environment variables like API access keys from ever having to sit in plain text files on your systems and developer machines.

It's convenient and helpful to developers, and it adds a level of security without getting in the way.

Just prefix any shell command with keys, pick an environment to load, and you're off!



brew install intragalactic/keys/keys-cli

Anywhere Else

Install the package with npm. This will provide a new command in your shell called keys. Then run it to perform a quick setup.

npm install -g keys-cli
keys # will help you set up a new repository


Just prefix any command you want to run with keys. Environment variables will be downloaded, decrypted, and your command will be executed, now having access to them.

# Manage and load your runtime environments

user@darkstar:~ $ keys ./anything.sh -a 1 -b 2

keys 2.5.0 (latest)

[...Authentication via userpass/2FA/tokens/keychain...]

Choose Environment:

[1] myapp-dev

[2] myapp-prod

[3] another-app

Load #: 1

Executing ./anything.sh -a 1 -b 2 # now has AWS_SECRET_ACCESS_KEY (and other vars) loaded


keys ./anything.sh -a 1 -b 2
keys java -jar mything.jar
keys gunicorn app:app
keys bin/rails server -e production -p 4000
keys docker exec -ti my_container /bin/something


-e | --environment environment-name

Specifies the environment to load, skipping the prompt which asks for it.

-v | --verbose

Enable verbose mode, printing debugging messages about what is going on.

-c | --clean

By default, keys will append environment variables to your current shell environment before running your command. This flag will run your command with only the variables from the selected environment.

-i | --import

Pipe lines of variables key=value into stdin to import variables to an environment specified by -e. This will overwrite the environment.


echo "VAR1=ABC\nVAR2=DEF" | keys -i -e myenv
heroku config -s | keys -i -e myenv

-t | --token

Specifies that the KEYS_TOKEN variable in the local environment should be read for an access token for a specific environment. This will bypass normal username/password authentication.

KEYS_TOKEN=abc123 keys -t command


Reset credentials and settings from ~/.keys/settings.json


Libaries for pulling accessing environments from your repository are coming soon for various languages.


See the API Reference documentation.

Frequently Asked Questions

Ask some questions frequently enough, and we'll add them here.

Cookie Policy

We only use cookies on https://keys.cm to maintain a login session.

Privacy Policy

Some technical details about browser requests may be sent to backend services to assist with debugging and software improvement.

We do not share information for marketing purposes.

We do not have access to the variables in your environments.