envpkt keygen
Generate an age keypair and optionally update envpkt.toml with the recipient public key, identity name, and key file path. This is the bridge between env scan --write and seal.
envpkt keygen [options]Options
Section titled “Options”| Option | Description | Default |
|---|---|---|
-c, --config <path> | Path to envpkt.toml (updates [identity] if found) | ./envpkt.toml |
-o, --output <path> | Output path for identity file | ~/.envpkt/<project>-key.txt (derived) |
--global | Write to the shared ~/.envpkt/age-key.txt path | false |
Key Path Resolution
Section titled “Key Path Resolution”By default, keygen writes to a project-specific path derived from the config, preventing collisions between projects.
Derivation rules:
| Config file path | Default output path |
|---|---|
my-project/envpkt.toml | ~/.envpkt/my-project-key.txt |
my-project/prod.envpkt.toml | ~/.envpkt/my-project-prod-key.txt |
my-project/dev.envpkt.toml | ~/.envpkt/my-project-dev-key.txt |
Explicit overrides (in priority order):
-o/--outputflag (highest priority)--globalflag →~/.envpkt/age-key.txt(the shared default)ENVPKT_AGE_KEY_FILEenvironment variable- Derived project-specific path (default)
For CI environments, set ENVPKT_AGE_KEY with the inline key content instead of a file path.
Examples
Section titled “Examples”# Generate a project-specific keypair (writes to ~/.envpkt/<project>-key.txt)envpkt keygen
# Generate for a specific config — distinct path per configenvpkt keygen -c prod.envpkt.toml # → ~/.envpkt/<project>-prod-key.txtenvpkt keygen -c dev.envpkt.toml # → ~/.envpkt/<project>-dev-key.txt
# Generate to a custom pathenvpkt keygen -o ./keys/agent-key.txt
# Use the shared global default (rare — prefer project-specific)envpkt keygen --globalNo --force Flag
Section titled “No --force Flag”keygen will refuse to overwrite an existing key file. This is intentional — overwriting a key silently destroys any data sealed against it. To replace a key:
# Explicit deletion makes the destructive action visible in shell historyrm ~/.envpkt/<project>-key.txtenvpkt keygenThis prevents accidental key loss when multiple projects or agents run keygen.
Behavior
Section titled “Behavior”- Checks that
age-keygenis available on PATH - Resolves the output path (flag >
--global> env var > derived default) - If file exists: refuses, prints guidance to
rmor pass-o - Generates keypair via
age-keygen - Writes identity file with
0600permissions - If
envpkt.tomlexists: updates[identity]withname,recipient, andkey_file - If no config found: prints next-step guidance
Typical Workflow
Section titled “Typical Workflow”# 1. Discover credentialsenvpkt env scan --write
# 2. Generate encryption key (project-specific by default)envpkt keygen
# 3. Seal secrets into envpkt.tomlenvpkt sealMulti-Environment Projects
Section titled “Multi-Environment Projects”For projects with separate dev/prod configs, each config gets its own key automatically:
envpkt keygen -c prod.envpkt.tomlenvpkt keygen -c dev.envpkt.tomlenvpkt seal -c prod.envpkt.tomlenvpkt seal -c dev.envpkt.tomlThis isolates environments — a leaked dev key can’t decrypt prod secrets.
If you want to share one key across multiple configs, generate once and reference the same key_file in both configs:
[identity]name = "my-project"recipient = "age1..."key_file = "~/.envpkt/my-project-key.txt"Security Notes
Section titled “Security Notes”- Always set
key_fileexplicitly inenvpkt.tomlrather than relying on the default path. The config then tells you exactly which key it needs. - The identity file (private key) is written with
0600permissions (owner-only read/write) - Never commit identity files to version control
- The recipient (public key) is safe to store in
envpkt.tomland commit - For CI, use
ENVPKT_AGE_KEYenv var instead of writing to disk