asd vault — local secret storageEncrypted local store for things you don't want sitting in
.env. Get, set, list, inject. Run commands with secrets piped in via env vars.
asd vault is for credentials that need to live somewhere safer
than .env but don't warrant a full HashiCorp Vault / AWS Secrets
Manager setup. Local to the machine, encrypted at rest, scoped per
project (or shared via the global scope).
| Command | What it does |
|---|---|
asd vault set <key> |
Create or update a secret. Prompts for the value (use stdin redirect for scripted writes). |
asd vault get <key> |
Print the decrypted value to stdout. Be careful with shell history. |
asd vault list |
List secrets (metadata only — no values). |
asd vault delete <key> |
Soft-delete a secret (recoverable until vault GC). |
| Command | What it does |
|---|---|
asd vault export <dir> |
Export decrypted secrets to a directory (reconstructs original files). |
asd vault import <dir> |
Bulk import from a directory of files. |
| Command | What it does |
|---|---|
asd vault inject <template> |
Substitute asd://<key> references in a template file with their values. |
asd vault run <env-template> -- <command> |
Run a command with secrets injected from an env template. |
| Command | What it does |
|---|---|
asd vault keys |
Manage the encryption keys for vault scopes. |
asd vault migrate |
Migrate secrets between encryption tiers (e.g. machine-bound → portable). |
asd:// reference syntaxIn files passed to asd vault inject, references look like:
# config.yaml.tmpl
database:
password: asd://prod/db-password
api:
oauth_secret: asd://prod/oauth-client-secret
asd vault inject config.yaml.tmpl > config.yaml substitutes each
asd://... reference with the decrypted value. The template syntax
is the contract — secrets stay out of the rendered file's git
history because the template, not the rendered file, is what you
commit.
| Goal | Command |
|---|---|
| Stash an OIDC client secret | asd vault set oidc-client-secret |
| Run a command with vault secrets as env vars | asd vault run env-template -- ./my-script.sh |
| Materialise a config file from a template | asd vault inject app.yml.tmpl > app.yml |
| List secrets without leaking values | asd vault list |
Migrate from .env to vault |
Set each secret, then drop from .env (vault inject covers reads) |
.env.env is plaintext. Whoever can read the file (anyone with
shell access, anyone who clones the repo if you slipped) reads
the secrets.
Vault is encrypted at rest. Reads require the key (machine-
bound or scope-bound).
Templates keep secrets out of generated artefacts. Commit
app.yml.tmpl with asd://... references, run
asd vault inject at deploy time, the rendered app.yml is
ephemeral. The repo history never sees the secret.
asd vault run is the cleanest pattern for short-lived
processes (CI jobs, one-off scripts) — secrets live in
the env of one process and disappear when it exits.
cli/auth — tunnel-server credentials (separate from vault).cookbook/ci-cd-with-asd — using asd vault in CI pipelines.learn/04-multi-environment — .env.<mode> for non-secret per-env values.