argon2id key derivation aes-256-gcm encryption atomic vault writes pip installable zero plaintext on disk
v1.0

YOUR API KEYS
LIVE HERE NOW.

ankylo is an encrypted, local-first key vault that lives entirely in your terminal. Store, retrieve, manage, and inject API keys without ever touching a browser or plaintext file.

Get Started View on GitHub

What is ankylo

KEYS SECURED.
WORKFLOW INTACT.

ankylo is a command-line API key vault built for developers who want their secrets stored securely without leaving the terminal. Your entire vault lives in a single encrypted file on disk โ€” no cloud sync, no accounts, no browser required.

Every entry is protected by a master password you choose at initialization. That password never touches disk โ€” instead, it's run through Argon2id to derive an encryption key, which then encrypts your vault with AES-256-GCM. Even if someone gets your vault file, they get nothing useful.

Need to grab a key fast? One command copies it straight to your clipboard. Need to bulk-import from a dotenv file? ankylo reads it. Need to export back out? ankylo writes it. Everything stays in the terminal, everything stays encrypted at rest.

Security architecture

BUILT ON SERIOUS CRYPTO.

๐Ÿ”‘
KDF
Argon2id
Memory-hard password hashing resistant to GPU and side-channel attacks. Your password never hits disk.
๐Ÿ”’
Encryption
AES-256-GCM
Authenticated encryption with associated data. Every vault save generates a fresh nonce, providing both confidentiality and tamper detection.
๐Ÿ’พ
Storage
Atomic Writes
Vault updates write to a temp file first, then atomically replace the old one. No partial writes, no corruption risk on crash or power failure.
๐Ÿ“‹
Access
Clipboard Delivery
Retrieved keys are copied directly to your clipboard, protecting against shell history and screen captures.
๐Ÿ“
File I/O
Dotenv Compatible
Import entries from NAME=KEY formatted files in bulk. Export your vault back out to the same format for use in other tools.
โšก
Interface
Typer CLI
Built with Typer for a fast, clean command-line experience with auto-generated help text and argument validation out of the box.

Command reference

EVERYTHING YOU NEED.

ankylo init
โ€”
Create and initialize a new encrypted vault. Prompts you to set a master password. Run this once before anything else.
ankylo add
-n <name>  |  -in <file>
Add a single entry by name (-n), or bulk-import from a NAME=KEY formatted file (-in). Exactly one flag required.
ankylo get
-n <name>  |  -i <index>  [--show]
Retrieve a key by name or index. Copies it silently to clipboard. Pass --show to also print the key and timestamp to the terminal.
ankylo list
[--show]
List all vault entries with their indices. Add --show to reveal key values.
ankylo export
-out <file>  [-n <name>]  [-i <index>]  [.]
Export entries to a NAME=KEY formatted file. Select by name, index, or pass . to export all. Flags -n and -i accept multiple values but cannot be combined.
ankylo env
<name>  [-s bash|powershell|cmd]
Print a shell export statement for the named entry. Pipe into your shell to inject the key as an environment variable โ€” readable by any process in the session, gone when the terminal closes.
bash / zsh
eval $(ankylo env openai)
PowerShell
Invoke-Expression (ankylo env openai -s powershell)
ankylo delete
-n <name>  |  -i <index>
Delete a vault entry by name or index. Prompts for confirmation before removal. Permanent โ€” cannot be undone.
ankylo delete-vault
โ€”
Permanently delete the entire vault and all stored keys. Requires CLI confirmation then master password verification before deletion. Irreversible.
ankylo --version
โ€”
Display the current version.

Installation

UP IN SECONDS.

Option 1 โ€” install from GitHub
$ pip install git+https://github.com/Iced-code/ankylo.git
Option 2 โ€” clone and install
$ git clone https://github.com/Iced-code/ankylo.git
$ cd ankylo
$ pip install .
01
ankylo init
Create your vault and set a master password
02
ankylo add -n openai
Add your first entry โ€” you'll be prompted for the key value
03
ankylo get -n openai
Key copied to clipboard. Paste it wherever you need it.
04
eval $(ankylo env openai)
Inject the key into your shell session as an environment variable.
05
ankylo list
See all stored entries and their timestamps
06
ankylo export -out .env .
Export all stored entries to file ".env"