AnkaSecure CLI – Command Reference
CLI build version: 2.0.1
Executable: AnkaSecureCLI
Invocation pattern:
AnkaSecureCLI <command> [options]
The CLI is a thin wrapper over the AnkaSecure API—all cryptographic work happens server-side.
Global flags available on every command:
| Flag |
Purpose |
-h, --help |
Print command-specific usage. |
-V, --version |
Display CLI build version. |
--config-path=<file> |
Use an alternate cli.properties file. |
Table of Contents
- Initialisation
- Key Lifecycle
- Algorithm Discovery
- Non-Streaming File Crypto
- Streaming File Crypto
- Public-Key Utility Streams
- Operational Limits
- Best Practices
Initialisation
init
| Option |
Required |
Description |
--force |
|
Overwrite an existing credential store. |
--silent |
|
Non-interactive mode. All credentials must be passed via flags. |
--client-id=<id> |
when --silent |
Application clientId issued by AnkaSecure. |
--client-secret=<secret> |
when --silent |
Application clientSecret issued by AnkaSecure. |
--config-path=<file> |
|
Alternate location for cli.properties. |
Initialises an AES-GCM–encrypted credential store. Must be run once before any other command.
Key Lifecycle
generate-key
Create a brand-new key on the server.
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Logical identifier (unique). |
--kty=<kty> |
✔︎ |
Key type (e.g. RSA, ML-KEM, oct). |
--alg=<alg> |
✔︎ |
Algorithm / parameter set. |
--key-ops=<ops>[,…] |
|
Allowed operations (encrypt, decrypt, sign, verify). |
--exportable |
|
Mark key as exportable. |
--validity-days=<n> |
|
Hard expiry in n days. |
--soft-validity-days=<n> |
|
Soft-limit expiry in n days. |
--max-usage-limit=<n> |
|
Hard operation counter. |
--soft-usage-limit=<n> |
|
Soft operation counter. |
--config-path=<file> |
|
Alternate cli.properties. |
import-key
Import any key from a JSON document (KeyImportRequest or ExportedKeySpec).
| Option |
Required |
Description |
--json-file=<file> |
✔︎ |
Path to JSON definition. |
--config-path=<file> |
|
Alternate properties file. |
import-key-pkcs12
Load a private key from a PKCS#12 bundle.
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Identifier to store the key under. |
--p12-file=<file> |
✔︎ |
.p12 / .pfx bundle (binary). |
--p12-password=<pwd> |
|
Password if the bundle is protected. |
--config-path=<file> |
|
Alternate properties file. |
list-keys
Return metadata for all stored keys.
| Option |
Description |
--config-path=<file> |
Alternate properties file. |
export-key
Export public material + metadata as JSON.
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Key identifier. |
--output-file=<file> |
✔︎ |
Destination JSON file. |
--config-path=<file> |
|
Alternate properties file. |
remove-key
Hard-delete a key.
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Key identifier. |
--config-path=<file> |
|
Alternate properties file. |
revoke-key
Set status → REVOKED.
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Key identifier. |
--config-path=<file> |
|
Alternate properties file. |
patch-key
Apply an RFC 7396 JSON Merge-Patch to update limits or expiry.
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Target key. |
--expires-at=<RFC3339> |
|
New hard expiry. |
--soft-limit-expiration=<RFC3339> |
|
New soft expiry. |
--soft-usage-limit=<n> |
|
New soft operation cap. |
--max-usage-limit=<n> |
|
New hard operation cap. |
--config-path=<file> |
|
Alternate properties file. |
create-rotation
Immediate rotation to a successor key.
| Option |
Required |
Description |
--kid=<currentKid> |
✔︎ |
Key to be rotated. |
--successor-kid=<newKid> |
✔︎ |
Identifier for the new key. |
--kty=<kty> |
✔︎ |
Key type of successor. |
--alg=<alg> |
✔︎ |
Algorithm / parameter set. |
--key-ops=<ops>[,…] |
|
Allowed operations for successor. |
--exportable |
|
Mark successor as exportable. |
--validity-days=<n> |
|
Hard expiry (days). |
--soft-validity-days=<n> |
|
Soft expiry (days). |
--max-usage-limit=<n> |
|
Hard usage cap. |
--soft-usage-limit=<n> |
|
Soft usage cap. |
--config-path=<file> |
|
Alternate properties file. |
Algorithm Discovery
get-supported-algorithms
Retrieve the live (kty, alg) catalogue.
| Option |
Description |
--config-path=<file> |
Alternate properties file. |
Non-Streaming File Crypto
encrypt-file
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Public key for encryption. |
--input-file=<file> |
✔︎ |
Plaintext source. |
--output-file=<file> |
✔︎ |
Compact JWE destination. |
--config-path=<file> |
|
Alternate properties file. |
decrypt-file
| Option |
Required |
Description |
--input-file=<file> |
✔︎ |
Compact JWE source. |
--output-file=<file> |
✔︎ |
Plaintext destination. |
--config-path=<file> |
|
Alternate properties file. |
sign-file
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Private key for signing. |
--input-file=<file> |
✔︎ |
Data to sign. |
--output-jws-file=<file> |
✔︎ |
Compact JWS destination. |
--config-path=<file> |
|
Alternate properties file. |
verify-signature
| Option |
Required |
Description |
--jws-file=<file> |
✔︎ |
Compact JWS to verify. |
--config-path=<file> |
|
Alternate properties file. |
reencrypt-file
| Option |
Required |
Description |
--new-kid=<kid> |
✔︎ |
Public key that will protect the refreshed JWE. |
--input-file=<file> |
✔︎ |
Original Compact JWE. |
--output-file=<file> |
✔︎ |
New Compact JWE. |
--config-path=<file> |
|
Alternate properties file. |
resign-file
| Option |
Required |
Description |
--new-kid=<kid> |
✔︎ |
Private key for the replacement signature. |
--old-jws-file=<file> |
✔︎ |
Original Compact JWS. |
--new-jws-file=<file> |
✔︎ |
Refreshed Compact JWS. |
--config-path=<file> |
|
Alternate properties file. |
Streaming File Crypto
encrypt-file-stream
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Public key for encryption. |
--input-file=<file> |
✔︎ |
Plaintext source. |
--output-file=<file> |
✔︎ |
Detached JWET destination. |
--config-path=<file> |
|
Alternate properties file. |
decrypt-file-stream
| Option |
Required |
Description |
--input-file=<file> |
✔︎ |
Detached JWET source. |
--output-file=<file> |
✔︎ |
Plaintext destination. |
--config-path=<file> |
|
Alternate properties file. |
sign-file-stream
| Option |
Required |
Description |
--kid=<kid> |
✔︎ |
Private key for signing. |
--input-file=<file> |
✔︎ |
Data stream. |
--output-signature-file=<file> |
✔︎ |
Detached-JWS destination. |
--config-path=<file> |
|
Alternate properties file. |
verify-signature-stream
| Option |
Required |
Description |
--input-file=<file> |
✔︎ |
Data stream. |
--input-signature-file=<file> |
✔︎ |
Detached-JWS to verify. |
--config-path=<file> |
|
Alternate properties file. |
reencrypt-file-stream
| Option |
Required |
Description |
--new-kid=<kid> |
✔︎ |
Public key that will protect the refreshed ciphertext. |
--input-file=<file> |
✔︎ |
Original detached JWET. |
--output-file=<file> |
✔︎ |
New detached JWET. |
--source-kid-override=<kid> |
|
Override when legacy JWE header lacks kid. |
--config-path=<file> |
|
Alternate properties file. |
resign-file-stream
| Option |
Required |
Description |
--new-kid=<kid> |
✔︎ |
Private key for new signature. |
--old-signature-file=<file> |
✔︎ |
Existing detached-JWS. |
--input-file=<file> |
✔︎ |
Data stream. |
--new-signature-file=<file> |
✔︎ |
Refreshed detached-JWS. |
--config-path=<file> |
|
Alternate properties file. |
Public-Key Utility Streams
encrypt-file-publickey-stream
Encrypt with a caller-supplied public key (not stored server-side).
| Option |
Required |
Description |
--kty=<kty> |
✔︎ |
Key type. |
--alg=<alg> |
✔︎ |
Algorithm / parameter set. |
--public-key=<json> |
✔︎ |
JSON file holding ExportedKeySpec.publicKey. |
--input-file=<file> |
✔︎ |
Plaintext source. |
--output-file=<file> |
✔︎ |
Detached JWET destination. |
--config-path=<file> |
|
Alternate properties file. |
verify-signature-publickey-stream
Verify with a caller-supplied public key.
| Option |
Required |
Description |
--kty=<kty> |
✔︎ |
Key type. |
--alg=<alg> |
✔︎ |
Algorithm / parameter set. |
--public-key=<json> |
✔︎ |
JSON file holding ExportedKeySpec.publicKey. |
--input-signature-file=<file> |
✔︎ |
Detached-JWS to verify. |
--input-file=<file> |
✔︎ |
Data stream. |
--config-path=<file> |
|
Alternate properties file. |
Operational Limits
| Resource |
Default (Demo tenant) |
| Max JSON payload |
5 MiB |
| Max streaming chunk size |
5 MiB |
| Access-token lifetime |
1 h |
| Refresh-token lifetime |
72 h |
Custom limits are available for production tenants—contact support.
Best Practices
- Run
init once per environment; never store plaintext credentials.
- Use
*-stream commands for any artefact larger than 5 MiB.
- Rotate keys with
create-rotation and leverage warnings in API responses.
- Query
get-supported-algorithms before generate-key to enforce policy.
- Gate CI/CD jobs on CLI exit codes—non-zero means failure.
© 2025 Anka Technologies. All rights reserved.
Relative links ensured for seamless MkDocs integration.