KeysArk
ark CLI

ark CLI documentation

Read and write your end-to-end encrypted vault from the terminal. Your plaintext and phrase stay local — only ciphertext ever leaves the device.

What is it

ark is the official KeyMask command-line client. It brings the web vault to your terminal: list items, read by path, save local files, create and update entries. All encryption and decryption happen locally with your recovery phrase — the server and cloud backend only ever handle opaque ciphertext.

Install

@keymask/cli@1.0.7
npm install -g @keymask/cli

Requires Node.js 18+. Installs the ark command (aliased as keymask).

First-time setup

Two steps: authorize this device, then import your phrase.

ark login

ark login uses device-code authorization: the terminal shows a link and a code; open it in your browser, confirm the code matches, and approve. The grant is equivalent to a browser session — it can only move ciphertext, never your phrase or plaintext.

ark import

ark import asks for your recovery phrase and sets a local unlock password. The phrase is encrypted with an Argon2id-derived key and stored locally (~/.keymask) — never uploaded. The unlock stays cached until 5 minutes of inactivity so you needn't retype the password.

Command reference

  • ark loginAuthorize this device via device code (opens the browser to confirm).
  • ark importImport a recovery phrase and set a local unlock password.
  • ark statusShow login and phrase status.
  • ark infoShow version, server source and config directory.
  • ark vaultsList all vaults on the account, flagging which match your phrase.
  • ark lsList all items in the current vault.
  • ark get <path|id> [file]Decrypt an item by path or ID; prints to stdout, or writes to a file if one is given.
  • ark save <file> [target]Save a local file (text or binary; binary is stored as an encrypted file item) into the vault; infers the target path from git origin inside a repo.
  • ark sync [folder]Two-way sync a vault folder with a local directory by mtime (the newer side wins). In a git repo the folder is optional (matched from origin); shows the plan and confirms first, preserving relative paths.
  • ark reset-anchor [vault]Clear a vault's rollback guard. Use only when you intentionally reset/restored the vault and an "index rollback detected" warning (reads) or block (writes) appears; the next load re-anchors to the current remote version.
  • ark logoutClear the local login (keeps the phrase credential).
  • ark forgetRemove the locally stored phrase credential and unlock cache.

Global options

  • --server <url>Override the server URL (default https://keymask.com).
  • --vault <id|label>Select a vault by ID or label (defaults to the first one matching your phrase).
  • --no-browserDon't auto-open the browser during login.

Common examples

Decrypt an item to a local file:

ark get github.com/me/app/.env .env

From a project directory, save .env into the vault (path inferred from git origin):

cd ~/my-project
ark save .env

Non-interactive use in CI / scripts (phrase supplied via an env var):

export KEYMASK_MNEMONIC="word1 word2 … word12"
ark get secure/api-key > key.txt

Environment variables

  • KEYMASK_SERVERServer URL (same as --server).
  • KEYMASK_MNEMONICSupply the recovery phrase directly, bypassing the local credential — for CI / scripts.
  • KEYMASK_HOMEConfig directory, defaults to ~/.keymask.
  • KEYMASK_NO_BROWSERWhen set, login won't auto-open the browser.

Security

Your phrase, derived master key and plaintext never leave your device: ark encrypts and decrypts locally and only sends ciphertext to the server and cloud. The device grant can only move ciphertext — even if leaked, it reveals nothing inside your vault.