Skip to content

CLI Scripting & Automation

Learn how to automate cryptographic operations using AnkaSecure CLI in bash/PowerShell scripts and CI/CD pipelines.

Bash Scripting Examples

Batch Encryption

Encrypt multiple files:

#!/bin/bash
# encrypt-batch.sh

KEY_ID="production-data-key"
INPUT_DIR="./sensitive-data"
OUTPUT_DIR="./encrypted-data"

mkdir -p "$OUTPUT_DIR"

# Encrypt all files in directory
for file in "$INPUT_DIR"/*; do
    filename=$(basename "$file")
    echo "Encrypting $filename..."

    ankasecure-cli encrypt \
        --key-id "$KEY_ID" \
        --input "$file" \
        --output "$OUTPUT_DIR/$filename.enc"

    if [ $? -eq 0 ]; then
        echo "✓ $filename encrypted successfully"
    else
        echo "✗ $filename encryption failed" >&2
        exit 1
    fi
done

echo "Batch encryption complete: $(ls $OUTPUT_DIR | wc -l) files"

Parallel Processing

Use GNU Parallel for speed:

#!/bin/bash
# parallel-encrypt.sh

export KEY_ID="production-key"

# Encrypt files in parallel (4 concurrent jobs)
ls sensitive-data/*.txt | parallel -j 4 \
    'ankasecure-cli encrypt --key-id $KEY_ID --input {} --output {}.enc'

echo "Parallel encryption complete"

Performance: 4x faster than sequential processing (for 4-core CPU).

Error Handling

Robust error handling:

#!/bin/bash
# encrypt-with-retry.sh

encrypt_with_retry() {
    local file=$1
    local output=$2
    local max_retries=3
    local retry_count=0

    while [ $retry_count -lt $max_retries ]; do
        ankasecure-cli encrypt --key-id "$KEY_ID" --input "$file" --output "$output"

        if [ $? -eq 0 ]; then
            echo "✓ Success: $file"
            return 0
        else
            retry_count=$((retry_count + 1))
            echo "⚠ Retry $retry_count/$max_retries: $file" >&2
            sleep $((retry_count * 2))  # Exponential backoff: 2s, 4s, 6s
        fi
    done

    echo "✗ Failed after $max_retries retries: $file" >&2
    return 1
}

# Usage
encrypt_with_retry "sensitive.txt" "sensitive.enc"

PowerShell Scripting Examples

Batch Encryption (Windows)

# encrypt-batch.ps1

$KeyId = "production-data-key"
$InputDir = ".\sensitive-data"
$OutputDir = ".\encrypted-data"

New-Item -ItemType Directory -Force -Path $OutputDir | Out-Null

Get-ChildItem -Path $InputDir | ForEach-Object {
    Write-Host "Encrypting $($_.Name)..."

    ankasecure-cli encrypt `
        --key-id $KeyId `
        --input $_.FullName `
        --output "$OutputDir\$($_.Name).enc"

    if ($LASTEXITCODE -eq 0) {
        Write-Host "✓ $($_.Name) encrypted successfully" -ForegroundColor Green
    } else {
        Write-Host "✗ $($_.Name) encryption failed" -ForegroundColor Red
        exit 1
    }
}

Write-Host "Batch encryption complete: $((Get-ChildItem $OutputDir).Count) files"

Parallel Processing (PowerShell 7+)

# parallel-encrypt.ps1

$KeyId = "production-key"
$Files = Get-ChildItem ".\sensitive-data\*.txt"

$Files | ForEach-Object -Parallel {
    $KeyId = $using:KeyId

    ankasecure-cli encrypt `
        --key-id $KeyId `
        --input $_.FullName `
        --output "$($_.FullName).enc"
} -ThrottleLimit 4  # 4 concurrent jobs

Write-Host "Parallel encryption complete"

CI/CD Integration

GitHub Actions

```.github/workflows/encrypt-release.yml name: Encrypt Release Artifacts

on: release: types: [published]

jobs: encrypt: runs-on: ubuntu-latest

steps:
  - uses: actions/checkout@v3

  - name: Install AnkaSecure CLI
    run: |
      curl -fsSL https://install.ankasecure.com/cli.sh | bash
      ankasecure-cli version

  - name: Configure CLI
    env:
      ANKASECURE_API_KEY: ${{ secrets.ANKASECURE_API_KEY }}
      ANKASECURE_TENANT_ID: ${{ secrets.ANKASECURE_TENANT_ID }}
    run: |
      ankasecure-cli config set api-key "$ANKASECURE_API_KEY"
      ankasecure-cli config set tenant-id "$ANKASECURE_TENANT_ID"
      ankasecure-cli config set api-url "https://api.ankasecure.com"

  - name: Encrypt Build Artifacts
    run: |
      mkdir encrypted-artifacts

      for file in dist/*; do
        ankasecure-cli encrypt \
          --key-id "release-encryption-key" \
          --input "$file" \
          --output "encrypted-artifacts/$(basename $file).enc"
      done

  - name: Upload Encrypted Artifacts
    uses: actions/upload-artifact@v3
    with:
      name: encrypted-release
      path: encrypted-artifacts/

`` **GitHub Secrets** (add in repository settings): -ANKASECURE_API_KEY: Production API key -ANKASECURE_TENANT_ID`: Your tenant ID

GitLab CI

.gitlab-ci.yml encrypt_artifacts: stage: build image: ubuntu:22.04 before_script: - apt-get update && apt-get install -y curl - curl -fsSL https://install.ankasecure.com/cli.sh | bash - export PATH=$PATH:/usr/local/bin script: - ankasecure-cli config set api-key "$ANKASECURE_API_KEY" - ankasecure-cli config set tenant-id "$ANKASECURE_TENANT_ID" - mkdir encrypted-artifacts - for file in dist/*; do ankasecure-cli encrypt \ --key-id "release-key" \ --input "$file" \ --output "encrypted-artifacts/$(basename $file).enc"; done artifacts: paths: - encrypted-artifacts/ variables: ANKASECURE_API_KEY: $CI_ANKASECURE_API_KEY # GitLab CI variable ANKASECURE_TENANT_ID: $CI_ANKASECURE_TENANT_ID

Jenkins Pipeline

// Jenkinsfile

pipeline {
    agent any

    environment {
        ANKASECURE_API_KEY = credentials('ankasecure-api-key')
        ANKASECURE_TENANT_ID = credentials('ankasecure-tenant-id')
    }

    stages {
        stage('Install CLI') {
            steps {
                sh '''
                    curl -fsSL https://install.ankasecure.com/cli.sh | bash
                    ankasecure-cli version
                '''
            }
        }

        stage('Configure CLI') {
            steps {
                sh '''
                    ankasecure-cli config set api-key "$ANKASECURE_API_KEY"
                    ankasecure-cli config set tenant-id "$ANKASECURE_TENANT_ID"
                '''
            }
        }

        stage('Encrypt Artifacts') {
            steps {
                sh '''
                    mkdir -p encrypted-artifacts

                    for file in dist/*; do
                        ankasecure-cli encrypt \
                            --key-id "jenkins-release-key" \
                            --input "$file" \
                            --output "encrypted-artifacts/$(basename $file).enc"
                    done
                '''
            }
        }

        stage('Archive Encrypted Artifacts') {
            steps {
                archiveArtifacts artifacts: 'encrypted-artifacts/*', fingerprint: true
            }
        }
    }
}

Automation Patterns

Automated Key Rotation

Rotate keys automatically (cron job):

#!/bin/bash
# rotate-keys-monthly.sh (run via cron)

# Generate new key
NEW_KEY_ID="monthly-key-$(date +%Y-%m)"

ankasecure-cli key generate \
    --algorithm ML-KEM-768 \
    --key-id "$NEW_KEY_ID"

if [ $? -ne 0 ]; then
    echo "✗ Key generation failed" >&2
    exit 1
fi

echo "✓ New key generated: $NEW_KEY_ID"

# Re-encrypt data with new key
ankasecure-cli migration batch-reencrypt \
    --source-key "monthly-key-$(date -d '1 month ago' +%Y-%m)" \
    --target-key "$NEW_KEY_ID" \
    --input-dir /data/encrypted/

echo "✓ Key rotation complete"

# Send notification
curl -X POST https://hooks.slack.com/services/YOUR/WEBHOOK/URL \
    -d "{\"text\":\"AnkaSecure key rotation complete: $NEW_KEY_ID\"}"

Cron schedule (first day of every month): 

0 2 1 * * /opt/scripts/rotate-keys-monthly.sh >> /var/log/ankasecure-rotation.log 2>&1

Monitoring Script

Check platform health (monitoring):

#!/bin/bash
# health-check.sh

API_URL="https://api.ankasecure.com"

# Check platform health
HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$API_URL/api/v1/public/health")

if [ "$HTTP_STATUS" = "200" ]; then
    echo "✓ AnkaSecure platform healthy"
    exit 0
else
    echo "✗ AnkaSecure platform unhealthy (HTTP $HTTP_STATUS)" >&2

    # Send alert
    curl -X POST https://monitoring.example.com/alert \
        -d "service=ankasecure&status=down&http_code=$HTTP_STATUS"

    exit 1
fi

Cron schedule (every 5 minutes): 

*/5 * * * * /opt/scripts/health-check.sh

Environment Variable Management

.env File Pattern

Store credentials securely:

# .ankasecure.env (add to .gitignore)
ANKASECURE_API_KEY=ask_1234567890abcdef...
ANKASECURE_TENANT_ID=your-tenant-id
ANKASECURE_API_URL=https://api.ankasecure.com

Load in script: 

#!/bin/bash
# Source environment variables
source .ankasecure.env

# Configure CLI
ankasecure-cli config set api-key "$ANKASECURE_API_KEY"
ankasecure-cli config set tenant-id "$ANKASECURE_TENANT_ID"

# Run operations
ankasecure-cli key list

Secret Manager Integration

AWS Secrets Manager:

#!/bin/bash
# Use AWS Secrets Manager for credentials

# Fetch API key from Secrets Manager
API_KEY=$(aws secretsmanager get-secret-value \
    --secret-id ankasecure/api-key \
    --query SecretString \
    --output text)

# Configure CLI
ankasecure-cli config set api-key "$API_KEY"

# Run operations
ankasecure-cli encrypt --key-id my-key --input data.txt --output data.enc

Azure Key Vault:

#!/bin/bash
# Use Azure Key Vault for credentials

# Fetch API key
API_KEY=$(az keyvault secret show \
    --name ankasecure-api-key \
    --vault-name my-keyvault \
    --query value \
    --output tsv)

ankasecure-cli config set api-key "$API_KEY"

Docker Integration

Encrypt in Docker Container

Dockerfile: 

FROM ubuntu:22.04

# Install AnkaSecure CLI
RUN apt-get update && apt-get install -y curl
RUN curl -fsSL https://install.ankasecure.com/cli.sh | bash

# Copy data
COPY sensitive-data/ /data/input/

# Configure CLI (credentials via environment variables)
ENV ANKASECURE_API_KEY=${ANKASECURE_API_KEY}
ENV ANKASECURE_TENANT_ID=${ANKASECURE_TENANT_ID}

# Encrypt script
COPY encrypt.sh /scripts/
RUN chmod +x /scripts/encrypt.sh

CMD ["/scripts/encrypt.sh"]

Run: 

docker build -t data-encryptor .
docker run \
    -e ANKASECURE_API_KEY="ask_..." \
    -e ANKASECURE_TENANT_ID="your-tenant" \
    -v $(pwd)/output:/data/output \
    data-encryptor

Documentation Version: 3.0.0 Last Updated: 2025-12-26