KeysArk
ark CLI

ark CLI documentation

Read and write your end-to-end encrypted vault from the terminal. Your plaintext and phrase stay local — only ciphertext ever leaves the device.

What is it

ark is the official KeysArk command-line client. It brings the web vault to your terminal: list items, read by path, save local files, create and update entries. All encryption and decryption happen locally with your recovery phrase — the server and cloud backend only ever handle opaque ciphertext.

Install

@keysark/cli@1.0.6
npm install -g @keysark/cli

Requires Node.js 18+. Installs the ark command (aliased as keysark).

First-time setup

Two steps: authorize this device, then import your phrase.

ark login

ark login uses device-code authorization: the terminal shows a link and a code; open it in your browser, confirm the code matches, and approve. The grant is equivalent to a browser session — it can only move ciphertext, never your phrase or plaintext.

ark import

ark import asks for your recovery phrase and sets a local unlock password. The phrase is encrypted with an Argon2id-derived key and stored locally (~/.keysark) — never uploaded. The unlock stays cached until 5 minutes of inactivity so you needn't retype the password.

Command reference

  • ark loginAuthorize this device via device code (opens the browser to confirm).
  • ark importImport a recovery phrase and set a local unlock password.
  • ark statusShow login and phrase status.
  • ark infoShow version, server source and config directory.
  • ark vaultsList all vaults on the account, flagging which match your phrase.
  • ark lsList all items in the current vault.
  • ark get <path|id> [file]Decrypt an item by path or ID; prints to stdout, or writes to a file if one is given.
  • ark new --title <T> [--content <C>] [--folder <p>]Create an item; reads content from stdin when --content is omitted.
  • ark set <id> [--title <T>] [--content <C>] [--folder <p>]Update an item's title, content or folder by ID.
  • ark save <file> [target]Save a local text file into the vault; infers the target path from git origin inside a repo.
  • ark rm <id>Delete an item by ID.
  • ark sync [folder]Two-way sync a vault folder with a local directory by mtime (the newer side wins). In a git repo the folder is optional (matched from origin); shows the plan and confirms first, preserving relative paths.
  • ark logoutClear the local login (keeps the phrase credential).
  • ark forgetRemove the locally stored phrase credential and unlock cache.

Global options

  • --server <url>Override the server URL (default https://keysark.com).
  • --vault <id|label>Select a vault by ID or label (defaults to the first one matching your phrase).
  • --no-browserDon't auto-open the browser during login.

Common examples

Decrypt an item to a local file:

ark get github.com/me/app/.env .env

From a project directory, save .env into the vault (path inferred from git origin):

cd ~/my-project
ark save .env

Create a new item by piping content in:

echo "my secret" | ark new --title "Notes" --folder personal

Non-interactive use in CI / scripts (phrase supplied via an env var):

export KEYSARK_MNEMONIC="word1 word2 … word12"
ark get secure/api-key > key.txt

Environment variables

  • KEYSARK_SERVERServer URL (same as --server).
  • KEYSARK_MNEMONICSupply the recovery phrase directly, bypassing the local credential — for CI / scripts.
  • KEYSARK_HOMEConfig directory, defaults to ~/.keysark.
  • KEYSARK_NO_BROWSERWhen set, login won't auto-open the browser.

Security

Your phrase, derived master key and plaintext never leave your device: ark encrypts and decrypts locally and only sends ciphertext to the server and cloud. The device grant can only move ciphertext — even if leaked, it reveals nothing inside your vault.