Skip to content
kiln

Command Reference

Complete reference for all kiln commands, global options, and usage patterns.

Global Options

Section titled “Global Options”

Available for all commands:

OptionShortDescriptionDefault
--config-cConfiguration file pathkiln.toml
--key-kPrivate key file pathAuto-discovered
--verbose-vEnable verbose outputfalse
--help-hShow help information-
--version-Show version information-

init

Section titled “init”

Initialize new kiln projects.

init key

Section titled “init key”

Generate encryption key pairs.

Terminal window
kiln init key [--path PATH] [--encrypt] [--force]
OptionDescriptionDefault
--pathKey file location~/.kiln/kiln.key
--encryptProtect with passphrasefalse
--forceOverwrite existing filesfalse

init config

Section titled “init config”

Create configuration files.

Terminal window
kiln init config [--path PATH] [--recipients NAME=KEY...] [--force]
OptionDescriptionDefault
--pathConfiguration file locationkiln.toml
--recipientsNamed recipients (repeatable)-
--forceOverwrite existing configfalse

set

Section titled “set”

Add or update environment variables.

Terminal window
kiln set <name> [value] [--file FILE]
Argument/OptionDescriptionRequired
<name>Variable nameNo (if --from-file is specified)
[value]Variable valueNo (prompts if omitted)
--file, -fEnvironment fileNo (default)
--from-fileJSON file to load variables fromNo

get

Section titled “get”

Retrieve environment variables.

Terminal window
kiln get <name> [--file FILE] [--format FORMAT]
Argument/OptionDescriptionValuesDefault
<name>Variable name-Required
--file, -fEnvironment file-default
--formatOutput formatvalue, jsonvalue

edit

Section titled “edit”

Interactive environment editing.

Terminal window
kiln edit [--file FILE] [--editor EDITOR]
OptionDescriptionDefault
--file, -fEnvironment filedefault
--editorEditor command$EDITOR

export

Section titled “export”

Output environment variables.

Terminal window
kiln export [--file FILE] [--format FORMAT]
OptionDescriptionValuesDefault
--file, -fEnvironment file-default
--formatOutput formatshell, json, yamlshell

apply

Section titled “apply”

Apply variables directly to template files

Terminal window
kiln apply [--file FILE] [TEMPLATE]
OptionDescriptionDefault
--file, -fEnvironment filedefault
--output, -oOutput file Pathstdout
--strictFail if template variables are not found-
--left-delimiterLeft delimiter to use for the template${ or $
--right-delimiterRight delimiter to use for the template} or empty

run

Section titled “run”

Execute commands with environment.

Terminal window
kiln run [OPTIONS] -- <command> [args...]
OptionDescriptionExample
--file, -fEnvironment fileproduction
--dry-runShow variables without execution-
--timeoutCommand timeout30s, 5m, 1h
--workdirWorking directory/app
--shellExecute through shell-

rekey

Section titled “rekey”

Add recipients and rotate keys.

Terminal window
kiln rekey --file FILE --add-recipient NAME=KEY [OPTIONS]
OptionDescriptionRequired
--file, -fEnvironment fileYes
--add-recipientNamed recipient (repeatable)Yes
--forceSkip confirmationsNo

info

Section titled “info”

Display file status and verification.

Terminal window
kiln info [--file FILE] [--verify]
OptionDescriptionDefault
--file, -fSpecific file (or all files)All files
--verifyTest decryption capabilityfalse

Exit Codes

Section titled “Exit Codes”
CodeMeaningCommands
0SuccessAll
1General errorAll
NCommand exit coderun (propagates target command’s exit code)

Error Categories

Section titled “Error Categories”

Configuration errors (exit 1):

  • Invalid or missing configuration file
  • Invalid recipient references
  • Access control violations

Validation errors (exit 1):

  • Invalid variable names
  • Invalid file paths
  • Invalid command arguments

Security errors (exit 1):

  • Access denied to environment files
  • Invalid or missing private keys
  • Decryption failures

Command execution behavior:

  • Target command exit code propagated
  • Target command not found (exit 1)
  • Command timeout (exit 1)

Environment Variables

Section titled “Environment Variables”

Configuration

Section titled “Configuration”
VariableDescriptionExample
KILN_PRIVATE_KEY_FILEOverride key discovery~/.ssh/kiln_key
EDITORDefault editor for edit commandvim, code --wait

Runtime Behavior

Section titled “Runtime Behavior”
VariableDescriptionUsed By
PATHCommand discoveryrun
TMPDIRTemporary file locationedit

Input Validation

Section titled “Input Validation”

Variable Names

Section titled “Variable Names”
  • Pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$
  • Case-sensitive
  • No length limit (practical limit ~1MB for entire file)

Valid examples:

  • DATABASE_URL
  • API_KEY_V2
  • _PRIVATE_VAR

Invalid examples:

  • api-key (contains hyphen)
  • 123_VAR (starts with number)
  • var.name (contains dot)

File Names

Section titled “File Names”
  • Must not contain .. (directory traversal prevention)
  • Must not contain / in logical names
  • Relative paths resolved from configuration directory

Key Formats

Section titled “Key Formats”

Age public keys:

  • Format: age1[a-z0-9]{58}
  • Length: 62 characters total
  • Encoding: Bech32

SSH public keys:

  • Ed25519: ssh-ed25519 [A-Za-z0-9+/=]+ [comment]
  • RSA: ssh-rsa [A-Za-z0-9+/=]+ [comment]
  • ECDSA: ssh-ecdsa [A-Za-z0-9+/=]+ [comment]

Command Composition

Section titled “Command Composition”

Chaining Commands

Section titled “Chaining Commands”
Terminal window
# Set multiple variables
kiln set DATABASE_URL "postgres://..." --file prod
kiln set API_KEY "sk-..." --file prod


# Verify and run
kiln info --file prod --verify && kiln run --file prod -- ./deploy.sh

Pipeline Integration

Section titled “Pipeline Integration”
Terminal window
# Export for processing
kiln export --format json | jq '.DATABASE_URL'


# Conditional execution
if kiln get DEBUG --file dev >/dev/null 2>&1; then
  kiln run --file dev -- npm run dev
fi

Error Handling

Section titled “Error Handling”
Terminal window
# Robust script pattern
set -euo pipefail


if ! kiln info --file production --verify; then
  echo "Cannot access production environment" >&2
  exit 1
fi


kiln run --file production -- ./deploy.sh

Common Patterns

Section titled “Common Patterns”

Project Initialization

Section titled “Project Initialization”
Terminal window
# 1. Generate key
kiln init key


# 2. Create config with your key
kiln init config --recipients "$(whoami)=$(cat ~/.kiln/kiln.key.pub)"


# 3. Set initial variables
kiln set DATABASE_URL
kiln set API_KEY

Team Onboarding

Section titled “Team Onboarding”
Terminal window
# Add new team member
kiln rekey --file development --add-recipient "newdev=ssh-ed25519 AAAAC3..."
kiln rekey --file staging --add-recipient "newdev=ssh-ed25519 AAAAC3..."

CI/CD Integration

Section titled “CI/CD Integration”
Terminal window
# Validate access
kiln info --file production --verify


# Deploy with environment
kiln run --file production --timeout 10m -- ./deploy.sh

Development Workflow

Section titled “Development Workflow”
Terminal window
# Load development environment
eval "$(kiln export --file development)"


# Or run directly
kiln run --file development -- npm start