Klef CLI

Zero-knowledge .env sync and secrets management for developers. Encryption happens on your machine. The server only ever stores ciphertext.

Klef keeps your .env files in sync across machines and teammates, end to end encrypted. Your secrets are encrypted and decrypted on your own device. The server stores ciphertext and nothing else: it never sees your values, your password, or your keys.

The CLI is the primary way to use Klef. Everything you can do in the web app you can do from the terminal.

Installation

Install the klef binary with npm, or run it with npx.

Quickstart

Core concepts

Workspaces, projects, environments, the .klef file, and the agent.

Command reference

Every command, flag, and example.

What Klef does

Sync .env files across machines. Push your local .env.local to Klef, pull it down on another machine, fully encrypted in transit and at rest.
Share with teammates. Re-encrypt a project key for a teammate using their public key. No shared passwords, no plaintext handoff.
Multiple environments per project. Keep development, staging, and production secrets separate, each with its own encryption key.
History and rollback. Every change to a secret is versioned. Roll back to any previous value.
Run commands with secrets injected. klef run launches your process with the current environment's secrets set as environment variables, without ever writing them to disk.

How it stays zero-knowledge

Your encryption password never leaves your device. Klef derives keys from it locally with Argon2id and libsodium, then encrypts every secret value before it is uploaded. The server validates permissions and stores ciphertext. Even Klef's operators cannot read your secrets.

See Security model for the full picture, including the key chain and recovery.

The CLI is primary

If a feature works in the web app but not the CLI, that is a bug. The CLI is the supported surface for everything in Klef.