Skip to main content

A local-first, client-side encrypted secrets manager for developers.

Project description

rune

rune is a secure, local-first secrets management CLI designed for developers.

It lets you store, retrieve, and manage secrets safely on your machine, with strong client-side encryption, a clean namespace model, and an ergonomic workflow optimized for daily use.

Rune is intentionally simple: no servers, no accounts, no background services beyond what you explicitly start.


Features

  • 🔐 Zero-trust by default
    Secrets are always encrypted client-side. Decrypted values never leave memory.

  • 🗝️ Per-secret encryption keys
    Each secret can use its own encryption key.

  • 🗝️ Multi-field secret storage
    Each secret can have multiple fields, allowing you to store complex secrets easily.

  • 🧠 Session-based default key (optional)
    Keep an encryption key in memory for repeated use during a session.

  • 🗂️ Namespaced secrets
    Organize secrets with paths like db/prod/my-db.

  • 🧭 Interactive workflows
    Secure prompts, interactive lists, clipboard integration.

  • 💻 Cross-platform
    Works on Linux, macOS, and Windows.


Installation

pip install rune

Getting Started

Login / Logout

Before managing secrets, you must select an active user.

At this stage, login does not authenticate or unlock anything — it simply sets the root namespace for secrets.

# Log in as a user
rune login <username>

# Log out
rune logout

The active user determines which secrets are visible and writable.


Adding Secrets

rune add db/prod/my-db -f host=localhost,port,user,password -k super-secret-key

Options:

  • Secret names support namespaces using /
  • --fields / -f
    • Comma-separated list of fields
    • Fields without values are prompted securely
    • If omitted entirely, Rune stores a single-field secret
  • --key / -k
    • Encryption key (securely prompted if omitted)

Retrieving Secrets

rune get db/prod/my-db

Example output:

[1] host
[2] port
[3] user
[4] password
Choose a field to copy (q to cancel):
  • Selected values are copied to the clipboard by default
  • Use --show to display values in the terminal
  • Use --interactive to pick a secret from a list (rune ls -i shortcut)

Listing Secrets

rune ls
  • Secrets are displayed as a namespace tree
  • Supports filtering by namespace
  • Interactive mode allows direct retrieval

Updating Secrets

rune update db/prod/my-db -f user=new-user,password,new_field=new
  • Updates existing fields
  • Adds new fields
  • Missing values are prompted securely

Moving Secrets

rune move db/prod/my-db db/prod/cassandra
  • Renames or relocates a secret within the namespace tree

Deleting Secrets

rune delete db/prod/cassandra
  • By default, secrets are soft-deleted (hidden)
  • Use --hard to permanently delete
  • Hard deletes require the encryption key

Deleting Individual Fields

rune delete db/prod/cassandra -f password

Restoring Secrets

rune restore db/prod/cassandra
  • Restores a soft-deleted secret
  • All soft-deleted fields are restored

Sessions (Default Encryption Key)

Sessions allow you to keep an encryption key in memory so you don’t have to re-enter it for every operation.

  • The key lives only in memory
  • Stored in a local background daemon
  • Never written to disk
  • Communicated via a local TCP socket

Sessions are not accounts or master passwords.
They are simply a convenience mechanism for repeated encryption operations.


Starting a Session

rune session start --session-key <key>
  • If the key is omitted, you’ll be prompted securely
  • A session TTL can be configured (or disabled)

Ending a Session

rune session end
  • Clears the session and removes the key from memory

Session Status

rune session status

Displays:

  • Whether a session is active
  • Associated user
  • Remaining TTL (if any)

Other commands

Show Current Configuration

rune config show

Locate Important Files

rune config where

Shows where Rune stores:

  • Settings
  • Profiles
  • Secrets (local storage)

Profiles

Profiles allow you to save and switch between different configurations.

rune config profile save <name>
rune config profile load <name>
rune config profile list

Storage & Encryption

  • Secrets are stored locally (JSON filesystem by default)
  • Encryption is always client-side (decrypted secrets and encryption keys NEVER leave memory)
  • Encryption mode is configurable (currently aesgcm)

Roadmap

See ROADMAP.md for planned features and upcoming milestones.


License

Apache License 2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rune-0.8.0.tar.gz (37.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

rune-0.8.0-py3-none-any.whl (51.5 kB view details)

Uploaded Python 3

File details

Details for the file rune-0.8.0.tar.gz.

File metadata

  • Download URL: rune-0.8.0.tar.gz
  • Upload date:
  • Size: 37.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.0

File hashes

Hashes for rune-0.8.0.tar.gz
Algorithm Hash digest
SHA256 14238db061294f4df1d0fefb90f21c8f1da50a04c3cd71a4f873eb71ede8d58e
MD5 71a6827c49ecce2a3aad034d5fad9cad
BLAKE2b-256 9978898ee6d89c8ea2a818e01245c2b62cf71785291eb3f2a89d23820c89d329

See more details on using hashes here.

File details

Details for the file rune-0.8.0-py3-none-any.whl.

File metadata

  • Download URL: rune-0.8.0-py3-none-any.whl
  • Upload date:
  • Size: 51.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.0

File hashes

Hashes for rune-0.8.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ae3938dee3eb66f8582651c3ef9da7def7b5f5b0987e0b2db85278b3ab78689e
MD5 9c99b7518a7d2ecf3ee9aabfa1f17a6b
BLAKE2b-256 ecee45632ead29ea226a86343251515c6edf0906c4997686054314a28d8a467d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page