AnkaSecure CLI – Overview

The AnkaSecure CLI is a cross-platform command-line utility that talks directly to the AnkaSecure API.
It lets you perform cryptographic operations, manage keys and automate security workflows without writing code.

1 · Introduction

Command-Line Power – Run cryptographic commands from any terminal or script.
Automation & Scripting – Perfect for CI/CD pipelines and DevSecOps tasks.
Post-Quantum Ready – Works with ML-KEM, ML-DSA, Falcon, SLH-DSA plus classical RSA/ECC.
Enterprise Integration – Pairs easily with HSMs, SIEMs, secret-vaults and schedulers.

2 · Why use AnkaSecure CLI?

No coding – interactive commands or shell scripts: pick your style.
One-to-one with the API – every CLI verb maps to an API endpoint.
Large-file streaming – encrypt / decrypt / sign GB-scale artefacts without memory spikes.
Crypto-agility – migrate from RSA/ECC to PQC or raise security levels via key rotation.
Auditable – verbose logging supports compliance and forensics.

3 · Typical use cases

Area	What you can do
Key Management	Generate, import, export, revoke, rotate or delete keys.
Encryption / Decryption	Secure huge data sets, then decrypt on demand.
Signing / Verification	Produce and validate detached JWS for artefacts or logs.
Re-Encrypt / Re-Sign	Upgrade existing data to stronger keys without extra passes.
CI/CD	Automate crypto tasks in build pipelines and release workflows.

4 · Installation

Platform	Executables	Notes
Windows	`AnkaSecureCLI.exe` / `AnkaSecureCLIDemo.exe`	64-bit signed binaries
macOS	`ankasecure-cli` / `ankasecure-cli-demo`	Universal 2
Linux	`ankasecure-cli` / `ankasecure-cli-demo`	Glibc ≥ 2.31

Grab installers from Downloads ► CLI or run the self-contained JAR:

java -jar AnkaSecureClient.jar <command> [options]

Executable pairing

AnkaSecureCLI is the scripting-grade binary.

AnkaSecureCLIDemo is an interactive, menu-driven showcase.

5 - Scenario Catalogue (`AnkaSecureCLIDemo`)

Launch AnkaSecureCLIDemo with no arguments and pick a number (1--23).

Each scenario creates temporary files under temp_files/ and prints live progress.

#	Scenario Name	Core Operation(s)	Streaming	Algorithms	When to use it
1	Asymmetric Encrypt/Decrypt	ML-KEM-512 encrypt + decrypt	✔︎	ML-KEM-512	First-look PQC demo; shows entire JWET cycle.
2	Sign/Verify	Detached-JWS sign + verify	✔︎	RSA-2048	Validate classical signing over large logs.
3	Symmetric Encrypt/Decrypt	AES-256 stream encrypt/decrypt	✔︎	AES-256	Fast bulk encryption inside secure LANs.
4	Asymmetric Re-encrypt	RSA-2048 → ML-KEM-512	✔︎	RSA-2048, ML-KEM-512	One-pass ciphertext migration to PQC.
5	ML-KEM-512 Encrypt/Decrypt	Non-stream demo	✘	ML-KEM-512	Small payloads; shows compact JWE flow.
6	ML-DSA-87 Sign/Verify	Non-stream PQC signing	✘	ML-DSA-87	Quick check of ML-DSA tokens.
7	AES-256 Encrypt/Decrypt	Non-stream symmetric	✘	AES-256	Unit tests or config secrets < 5 MB.
8	EC-521 → ML-KEM-768 Re-encrypt	Non-stream	✘	EC-521, ML-KEM-768	Legacy elliptic-curve data uplift.
9	RSA-2048 → ML-DSA-65 Re-sign	Non-stream	✘	RSA-2048, ML-DSA-65	Upgrade detached signatures offline.
10	Asymmetric Public-Key Utility	Client-side encrypt	✘	ML-KEM-1024	Encrypt for a partner without storing their key.
11	ML-DSA-87 Sign & Verify Utility	Server sign / local verify	✘	ML-DSA-87	Show ad-hoc public-key verification.
12	Re-sign Stream (RSA → Falcon-1024)	Stream swap	✔︎	RSA-2048, Falcon-1024	Large-file signature upgrade in place.
13	PKCS#12 Import & Sign/Encrypt	Legacy key onboarding	✘	RSA / EC / PQC	Bring external keys into AnkaSecure quickly.
14	Key Management & License Checks	Lifecycle ops	✘	ML-KEM-768	Script quotas, expiry, and license info.
15	ML-DSA-87 Sign/Verify (Streaming)	PQC stream signing	✔︎	ML-DSA-87	Continuous log signing for audit chains.
16	ML-KEM-1024 Encrypt/Decrypt (Streaming)	Large-file PQC crypto	✔︎	ML-KEM-1024	Archive-grade confidentiality ≥ 30 years.
17	Immediate Key Rotation & Metadata	Rotate & inspect	✘	ML-KEM-768 → HQC-192	Test cross-algorithm rotation rules.
18	On-the-fly Limits / Lifetime Patch	RFC 7396 patch	✘	AES-256	Show dynamic quota boosts in prod.
19	Supported-Algorithm Discovery	Runtime query	✘	Dynamic	Integrate `/supported-algorithms` into tooling.
20	In-memory JWE/JWS Quick-start	Compact tokens	✘	ML-KEM-512, PS256	Lowest-latency demo (no streams).
21	Compact-token Rotation	Re-encrypt JWE	✘	RSA-2048 → ML-KEM-768	Migrate mobile app tokens on the fly.
22	Detached-JWS Stream Verification	Verify only	✔︎	Falcon-512	Audit external artefacts without local keys.
23	RSA-2048 → ML-KEM-768 Immediate Rotation	Key rotation	✘	RSA-2048 → ML-KEM-768	Raise security level for existing traffic keys.

All scenarios are mirrored in the SDK examples located under SDK ► Integration Flows. Use the table for quick cross-reference.

5.1 Sample console output

Scenario 1 (truncated)

===== SCENARIO 1 START =====
Purpose :
* Generate ML-KEM-512
* Export metadata
* Stream-encrypt (detached JWE) / stream-decrypt
* Validate integrity
--------------------------------------------------------------
Loaded config from C:\AnkaTech\AnkaSecureCLI\cli.properties
Authenticated clientId=88888888-8888-8888-8888-888888888888
[1] Plaintext ready      -> C:\AnkaTech\AnkaSecureCLI\temp_files\scenario1_plain.txt
[2] Key generated        -> kid = sc1_kem_1749835944233
[3] Metadata exported    -> C:\AnkaTech\AnkaSecureCLI\temp_files\scenario1_keydata.json
[4] Ciphertext written    -> C:\AnkaTech\AnkaSecureCLI\temp_files\scenario1.enc
* Key requested : sc1_kem_1749835944233
* Key used      : sc1_kem_1749835944233
* Algorithm     : ML-KEM-512
[5] Decrypted file        -> C:\AnkaTech\AnkaSecureCLI\temp_files\scenario1.dec
* Key requested : sc1_kem_1749835944233
* Key used      : sc1_kem_1749835944233
* Algorithm     : ML-KEM-512
[6] Validation OK ? plaintext matches.
===== SCENARIO 1 END =====

Scenario 2 (truncated)

===== SCENARIO 2 START =====
Purpose   : RSA-2048 key generation, detached-JWS streaming sign & verify
...
SUCCESS -- signature verified.
===== SCENARIO 2 END =====

6 - Initialization (required)

AnkaSecureCLI init

The wizard encrypts clientId / clientSecret with AES-GCM and stores them in cli.properties.\ Skip this step → every command immediately fails with a security error.

Full details: CLI Configuration.

7 - Configuration

cli.properties controls:

Credentials
Server host / port / TLS
Proxy & time-outs
Logging verbosity

See the configuration guide for every property.

8 - Command reference (highlights)

Command	Purpose
`generate-key`	Create RSA, ECC, ML-KEM, etc.
`encrypt-file` / `decrypt-file`	Base64 or streaming JWE(T).
`sign-file` / `verify-signature`	Detached-JWS (stream or in-memory).
`reencrypt-file` / `resign-file`	Rotate ciphertext / signatures.
`list-keys`, `revoke-key`, `remove-key`	Life-cycle management.

Full syntax: CLI Command Reference.

9 - Getting started

Install the CLI for your OS.
Init with valid credentials.
Test AnkaSecureCLI list-keys.
Explore scenarios 1-23 or integrate commands in CI/CD.

10 - Next steps

CLI Configuration -- proxies, time-outs, logging.
CLI Command Reference -- every flag & option.
CI/CD examples -- rotate keys, sign artefacts, encrypt build outputs.

The AnkaSecure CLI delivers crypto-agility, post-quantum security and GB-scale streaming from your terminal.\ Combine it with AnkaSecureCLIDemo for a guided tour, then plug the same commands straight into production pipelines.