Commands
Agent
Manage the background agent that caches your unlock between commands.
The background agent caches your derived keys in memory so you only enter your encryption password once per session instead of on every command. The password itself never enters the agent: only the keys derived from it, after the CLI finishes its local Argon2id round.
How the cache behaves
- Keys live in the agent's in-process memory only, never on disk.
- They expire after 1 hour of inactivity (the timer renews on each use).
- There is an 8 hour hard cap that never renews.
- The agent's socket file is private to your user (mode
0600), and cached buffers are zeroed before they are dropped. - Set
KLEF_NO_AGENT=1to disable the agent entirely.
klef agent
Manage the agent process.
| Command | Description |
|---|---|
klef agent start | Start the agent. Idempotent: does nothing if already running. |
klef agent status | Show whether the agent is running and whether keys are cached. |
klef agent lock | Clear cached keys but keep the agent running. Re-prompts next time. |
klef agent stop | Stop the agent process entirely. |
klef agent start
klef agent status
klef agent stopklef lock
Clear the cached unlock. This is an alias for klef agent lock: it wipes the
cached keys so the next command re-prompts for your encryption password, while
leaving the agent running.
klef lockLocking when you step away
Run klef lock (or klef agent stop) before leaving a shared machine so your
keys are not sitting in memory.