Skip to content

AnkaSecure CLI – Overview

The AnkaSecure CLI is a cross-platform command-line utility that integrates directly with the AnkaSecure API, allowing you to perform cryptographic operations, manage keys, and automate security workflows without writing code.

Introduction

  • Command-Line Power – Run cryptographic commands from any terminal or script environment.
  • Automation & Scripting – Ideal for CI/CD pipelines and DevSecOps processes.
  • Post-Quantum Ready – Supports ML-KEM, ML-DSA, Falcon, and SLH-DSA, alongside classical RSA/ECC algorithms.
  • Enterprise Integration – Easily pairs with HSMs, SIEM systems, and secure vaults.

Why Use AnkaSecure CLI?

  1. No Programming Required – Execute commands interactively or via shell scripts—no custom code needed.
  2. Consistent API Integration – Every CLI operation corresponds to an AnkaSecure API endpoint, ensuring uniform behavior across different environments.
  3. Large-File Streaming – Efficiently encrypt, decrypt, sign, or verify large files (GB+) in streaming mode to avoid high memory usage.
  4. Crypto-Agility – Leverage both classical and post-quantum keys. Migrate from RSA to PQC or rotate keys seamlessly.
  5. Logging & Auditing – CLI activities can be logged in detail, supporting regulatory compliance and security audits.

Typical Use Cases

  1. Key Management – Generate, import, export, revoke, or remove cryptographic keys—both classical and post-quantum.
  2. Encryption/Decryption – Securely encrypt large data sets or files, then decrypt them on demand.
  3. Signing/Verification – Digitally sign artifacts (e.g., binaries, documents) and verify signatures to maintain data integrity.
  4. Re-Encryption/Re-Signing – Seamlessly transition from old keys to new post-quantum keys without exposing plaintext or needing multiple file passes.
  5. CI/CD Integration – Automate cryptographic tasks within build pipelines to ensure secure application delivery.

Installation & Executables

Distribution File Notes
Windows AnkaSecureCLI.exe
AnkaSecureCLIDemo.exe		 64-bit signed binaries
macOS ankasecure-cli
ankasecure-cli-demo		 Universal 2 binaries
Linux ankasecure-cli
ankasecure-cli-demo		 Glibc ≥ 2.31

Download installers from AnkaSecure CLI Releases or pull the self-contained JAR:

java -jar AnkaSecureClient.jar <command> [options]

Executable Pairing\ AnkaSecureCLI is the production-grade interface for scripting and automation.\ AnkaSecureCLIDemo is an interactive, menu-driven utility that showcases end-to-end scenarios without requiring any command-line arguments. Both executables share the same runtime and configuration file.

Interactive Demo Utility -- AnkaSecureCLIDemo

Purpose

AnkaSecureCLIDemo provides a guided tour of the CLI and SDK.\ It presents 19 pre-built scenarios covering asymmetric, symmetric, streaming, non-streaming, re-encryption, re-signing, key-lifecycle management, and algorithm-discovery workflows.

How It Works

  1. Menu Launch -- Start the executable without parameters.

  2. Scenario Selection -- Choose a number (1--19) to run a fully scripted example.

  3. Live Output -- The utility generates plaintext, keys, ciphertext, signatures, and metadata inside the temp_files directory, echoing each step to the console.

  4. Auto-Cleanup -- Temporary artefacts are removed at the end of every scenario unless you pass the --preserve flag when invoking the demo.

Scenario Index

# Scenario Title Core Operation Streaming Algorithms Highlighted
1 Asymmetric Encrypt / Decrypt Encrypt-then-decrypt file ✔︎ ML-KEM-512
2 Sign / Verify Sign file & verify sig ✔︎ RSA-2048
3 Symmetric Encrypt / Decrypt AES large-file workflow ✔︎ AES-256
4 Asymmetric Re-encrypt RSA → ML-KEM migration ✔︎ RSA-2048, ML-KEM-512
5 ML-KEM-512 Encrypt / Decrypt Non-streaming PQC crypto ML-KEM-512
6 ML-DSA-87 Sign / Verify PQC signing ML-DSA-87
7 AES-256 Encrypt / Decrypt Small-file symmetric AES-256
8 EC-521 → ML-KEM-768 Re-encrypt Post-quantum migration EC-521, ML-KEM-768
9 RSA-2048 → ML-DSA-65 Re-sign Signature upgrade RSA-2048, ML-DSA-65
10 Asymmetric Public-Key Utility Client-side encryption ML-KEM-1024
11 Sign ML-DSA-87 & Verify (PK Utility) Server sign / local verify ML-DSA-87
12 Re-sign Streaming (RSA → FALCON-1024) Streaming signature swap ✔︎ RSA-2048, FALCON-1024
13 Import PKCS#12 & Sign/Encrypt Legacy key onboarding PKCS#12, ML-KEM-512
14 Key Management & License Checks Advanced lifecycle ops ML-KEM-768
15 ML-DSA-87 Sign / Verify (Streaming) Streamed PQC signing ✔︎ ML-DSA-87
16 ML-KEM-1024 Encrypt / Decrypt (Streaming) Large-file PQC encrypt ✔︎ ML-KEM-1024
17 Rapid Key-Revocation Lifecycle Revoke & enforce block RSA-3072
18 Dynamic Key-Limit Upsize (AES-256) RFC 7396 merge-patch AES-256
19 Supported-Algorithm Discovery Demo Runtime capability query Dynamic

Each scenario is implemented in the SDK Integration Flows documentation.\ Use the table above when mapping demo runs to their corresponding Markdown source (flow<n>.md).

Running the Demo

Launch the interactive menu

AnkaSecureCLIDemo.exe or ankasecure-cli-demo on Unix platforms`

Optional flags:

Flag Description
--config <file> Use an alternate cli.properties file.

Initialization (Required)

Before executing any CLI command (including the demo) you must initialize the CLI with encrypted credentials using the init command.\ This step securely stores your clientId and clientSecret using AES-GCM encryption with a UUID-based derived key.

AnkaSecureCLI init

During initialization you will be prompted for credentials, and a secure cli.properties file will be created containing:

  • Encrypted credentials (clientIdEnc, clientSecretEnc)

  • Randomly generated salt and UUID (client.uuid, client.salt) used for key derivation

Mandatory -- If initialization is skipped, CLI operations (including every demo scenario) will fail with a security error.

For configuration details see the CLI Configuration Guide.

Configuration

The CLI reads its settings from a cli.properties file, which includes:

  • Client Credentials (clientId, clientSecret)

  • Server Variables (host, port, TLS settings)

  • Proxy and Timeouts

  • Logging preferences

See the configuration guide for property-level documentation.

Command Reference

The AnkaSecure CLI provides a comprehensive set of commands to interact with the AnkaSecure API. Highlights include:

  • generate-key -- Create a new key (RSA, ECC, ML-KEM, etc.) with optional usage and expiration constraints.

  • encrypt-file / decrypt-file -- Securely encrypt or decrypt data, either in base-64 or streaming.

  • sign-file / verify-signature -- Sign or verify artifacts in a single pass (standard or streaming).

  • reencrypt-file / resign-file -- Migrate existing ciphertext or signatures to new keys (classical or post-quantum).

  • list-keys / remove-key / revoke-key -- Basic key-lifecycle commands.

See the CLI Command Reference for the full list and usage syntax.

Getting Started

  1. Install the AnkaSecure CLI on your platform of choice.

  2. Configure with valid credentials and connection details (cli.properties).

  3. Verify Setup by running a simple command such as AnkaSecureCLI list-keys.

  4. Explore encryption, signing, and re-encryption scenarios as needed---or launch AnkaSecureCLIDemo for hands-on learning.

Next Steps

  • CLI Configuration Guide -- Fine-tune time-outs, proxies, logging, and credential storage.

  • CLI Command Reference -- Detailed usage for every command.

  • CI/CD Integration -- Add CLI commands to your pipelines for automated key rotation, artifact signing, and more.

Conclusion

The AnkaSecure CLI brings crypto-agility, post-quantum security, and large-file streaming to your terminal.\ Whether you are managing keys for enterprise compliance, automating file encryption in CI/CD, or transitioning to post-quantum algorithms, the CLI---and its interactive AnkaSecureCLIDemo---provide a straightforward, script-friendly pathway to robust cryptography.

© 2025 ITAC -- All rights reserved.