Skip to content

ANKASecure CLI – Command Reference

This document is the authoritative specification for every command exposed by ANKASecure CLI.
Each command triggers a REST call to the ANKASecure API—no cryptographic material is processed locally apart from secure buffering during streaming.

Table of Contents

  1. Overview
  2. General Usage
  3. Initialization & Configuration
  4. init
  5. Key Management
  6. generate-key
  7. import-key
  8. import-key-pkcs12
  9. list-keys
  10. export-key
  11. remove-key
  12. revoke-key
  13. patch-key
  14. create-rotation
  15. get-rotation-job
  16. get-supported-algorithms
  17. File Encryption & Decryption (Non-Streaming)
  18. encrypt-file
  19. decrypt-file
  20. File Signing & Verification (Non-Streaming)
  21. sign-file
  22. verify-signature
  23. Re-Encrypt & Re-Sign (Non-Streaming)
  24. reencrypt-file
  25. resign-file
  26. Streaming Encryption & Decryption
  27. encrypt-file-stream
  28. decrypt-file-stream
  29. Streaming Signing & Verification
  30. sign-file-stream
  31. verify-signature-stream
  32. Streaming Re-Encrypt & Re-Sign
  33. Public-Key-Only Streaming Operations
  34. Help & Version

Overview

  • Executable Name  ANKASecureCLI
  • Invocation
    ```bash ANKASecureCLI [options]
  • Purpose Command-line gateway to every cryptographic, key-management, and large-file-streaming capability offered by the ANKASecure API. ```

General Usage

ANKASecureCLI [-hV] <command> [options]

  • -h | --help Global switch: print command-specific help.

  • -V | --version Global switch: print CLI version.

  • --config-path=<file> (Optional, on most commands) overrides the default cli.properties location.

All options are long-form for readability---no short aliases beyond -h and -V.

Initialization & Configuration

1 . init

Securely bootstraps the encrypted credential store.

Usage

ANKASecureCLI init [-hV] [--config-path=<file>]

Parameter Purpose
--config-path Load/store encrypted credentials in a non-default location.

Description\ Initialises cli.properties with AES-GCM-encrypted clientId / clientSecret, plus salt and UUID. This command must be executed once before any other command can authenticate.

Key Management

2 . generate-key

ANKASecureCLI generate-key --kid=<kid> --kty=<kty> --alg=<alg> [--key-ops=<ops>[,<ops>...]] [--exportable] [--validity-days=<days>] [--soft-validity-days=<days>] [--max-usage-limit=<n>] [--soft-usage-limit=<n>] [--config-path=<file>] [-hV]

Creates a new key of type kty with algorithm/parameter-set alg.\ Optional hard/soft limits enforce expiry or max-operation thresholds.

3 . import-key

ANKASecureCLI import-key --json-file=<file> [--config-path=<file>] [-hV]

Imports any classical, symmetric, or PQC key from a JSON document conforming to KeyImportRequest or ExportedKeySpec.

4 . import-key-pkcs12

ANKASecureCLI import-key-pkcs12 --kid=<kid> --p12-file=<file> [--p12-password=<pwd>] [--config-path=<file>] [-hV]

Ingests a private key contained in a PKCS#12 bundle (.p12/.pfx).\ The file is Base64-encoded automatically prior to API transmission.

5 . list-keys

ANKASecureCLI list-keys [--config-path=<file>] [-hV]

Retrieves the public metadata of every key stored server-side.

6 . export-key

ANKASecureCLI export-key --kid=<kid> --output-file=<file> [--config-path=<file>] [-hV]

Exports key metadata and (for asymmetric keys) the public key to a JSON file without exposing private material.

7 . remove-key

ANKASecureCLI remove-key --kid=<kid> [--config-path=<file>] [-hV]

Permanently deletes the specified key from the keystore.

8 . revoke-key

ANKASecureCLI revoke-key --kid=<kid> [--config-path=<file>] [-hV]

Sets key status to REVOKED. The key becomes unusable and cannot be reactivated.

9 . patch-key

ANKASecureCLI patch-key --kid=<kid> --patch-file=<file> [--config-path=<file>] [-hV]

Applies an RFC 7396 JSON Merge Patch to update key metadata atomically.

10 . create-rotation

ANKASecureCLI create-rotation --kid=<currentKid> --successor-kid=<newKid> --kty=<kty> --alg=<alg> [--key-ops=<ops>[,<ops>...]] [--exportable] [--validity-days=<days>] [--soft-validity-days=<days>] [--max-usage-limit=<n>] [--soft-usage-limit=<n>] [--scheduled-at=<ISO8601UTC>] [--config-path=<file>] [-hV]

Creates (or schedules) an automated rotation. The successor key is generated server-side and logically linked to currentKid.

11 . get-rotation-job

ANKASecureCLI get-rotation-job --job-id=<jobId> [--config-path=<file>] [-hV]

Queries the lifecycle state of an asynchronous rotation job.

12 . get-supported-algorithms

ANKASecureCLI get-supported-algorithms [--config-path=<file>] [-hV]

Returns the current, dynamically configured (kty, alg) catalogue, enabling strict client-side validation before key creation.

File Encryption and Decryption (Non-Streaming)

13 . encrypt-file

ANKASecureCLI encrypt-file --kid=<kid> --input-file=<file> --output-file=<file> [--config-path=<file>] [-hV]

Encrypts the entire file using the public key referenced by kid.

14 . decrypt-file

ANKASecureCLI decrypt-file --kid=<kid> --input-file=<file> --output-file=<file> [--config-path=<file>] [-hV]

Decrypts ciphertext with the private key linked to kid.

File Signing and Verification (Non-Streaming)

15 . sign-file

ANKASecureCLI sign-file --kid=<kid> --input-file=<file> --output-signature-file=<file> [--config-path=<file>] [-hV]

Creates a detached binary signature for input-file.

16 . verify-signature

ANKASecureCLI verify-signature --kid=<kid> --input-file=<file> --input-signature-file=<file> [--config-path=<file>] [-hV]

Validates a detached signature using the public key associated with kid.

Re-Encrypt and Re-Sign (Non-Streaming)

17 . reencrypt-file

ANKASecureCLI reencrypt-file --old-kid=<oldKid> --new-kid=<newKid> --input-file=<file> --output-file=<file> [--config-path=<file>] [-hV]

Decrypts data with oldKid and immediately re-encrypts it with newKid---plaintext never leaves the secure buffer.

18 . resign-file

ANKASecureCLI resign-file --old-kid=<oldKid> --new-kid=<newKid> --input-file=<file> --old-signature-file=<file> --new-signature-file=<file> [--config-path=<file>] [-hV]

Verifies the existing signature then produces a replacement signature using newKid.

Streaming Encryption and Decryption

19 . encrypt-file-stream

ANKASecureCLI encrypt-file-stream --kid=<kid> --input-file=<file> --output-file=<file> [--config-path=<file>] [-hV]

Chunk-based encryption for very large files. Requires CLI or SDK---Swagger UI cannot invoke streaming endpoints.

20 . decrypt-file-stream

ANKASecureCLI decrypt-file-stream --kid=<kid> --input-file=<file> --output-file=<file> [--config-path=<file>] [-hV]

Chunk-based decryption complementary to the previous command.

Streaming Signing and Verification

21 . sign-file-stream

ANKASecureCLI sign-file-stream --kid=<kid> --input-file=<file> --output-signature-file=<file> [--config-path=<file>] [-hV]

Generates a streaming signature while reading the file sequentially.

22 . verify-signature-stream

ANKASecureCLI verify-signature-stream --kid=<kid> --input-file=<file> --input-signature-file=<file> [--config-path=<file>] [-hV]

Verifies a streaming signature without loading the full payload into memory.

Streaming Re-Encrypt and Re-Sign

23 . reencrypt-file-stream

ANKASecureCLI reencrypt-file-stream --old-kid=<oldKid> --new-kid=<newKid> --input-file=<file> --output-file=<file> [--config-path=<file>] [-hV]

Streaming ciphertext migration between keys.

24 . resign-file-stream

ANKASecureCLI resign-file-stream --old-kid=<oldKid> --new-kid=<newKid> --input-file=<file> --old-signature-file=<file> --new-signature-file=<file> [--config-path=<file>] [-hV]

Streaming replacement of a detached signature.

Public-Key-Only Streaming Operations

25 . encrypt-file-publickey-stream

ANKASecureCLI encrypt-file-publickey-stream --kty=<kty> --alg=<alg> --public-key=<json> --input-file=<file> --output-file=<file> [--config-path=<file>] [-hV]

Encrypts with an ephemeral public key supplied in JSON form---nothing is persisted server-side.

26 . verify-signature-publickey-stream

ANKASecureCLI verify-signature-publickey-stream --kty=<kty> --alg=<alg> --public-key=<json> --input-signature-file=<file> --input-file=<file> [--config-path=<file>] [-hV]

Streaming verification against a supplied (non-persisted) public key.

Help and Version

27 . --help

Prints command-specific usage information.

ANKASecureCLI <command> --help

28 . --version

Outputs the compiled CLI version.

ANKASecureCLI --version

Operational Limits

Resource Default Limit (Demo)
Max JSON payload 5 MiB
Max streaming chunk 5 MiB
Access-token lifetime 1 h
Refresh-token lifetime 72 h

Production tenants may request customised limits via [email protected].

Best Practices

  1. Run init once per environment to avoid plaintext credentials.

  2. Use streaming commands (*-stream) for any file > 100 MiB or when working inside CI/CD pipelines.

  3. Rotate keys regularly with create-rotation and monitor via get-rotation-job.

  4. Validate parameters offline using get-supported-algorithms to guarantee compatibility before invoking generate-key.

  5. Capture exit codes---any non-zero value indicates operational failure suitable for pipeline gating.

© 2025 ANKATech Co. All rights reserved.