A local-first, client-side encrypted secrets manager for developers.
Project description
rune
rune is a secure, local-first secrets management CLI designed for developers.
It lets you store, retrieve, and manage secrets safely on your machine, with strong client-side encryption, a clean namespace model, and an ergonomic workflow optimized for daily use.
Rune is intentionally simple: no servers, no accounts, no background services beyond what you explicitly start.
Features
-
🔐 Zero-trust by default
Secrets are always encrypted client-side. Decrypted values never leave memory. -
🗝️ Per-secret encryption keys
Each secret can use its own encryption key. -
🗝️ Multi-field secret storage
Each secret can have multiple fields, allowing you to store complex secrets easily. -
🧠 Session-based default key (optional)
Keep an encryption key in memory for repeated use during a session. -
🗂️ Namespaced secrets
Organize secrets with paths likedb/prod/my-db. -
🧭 Interactive workflows
Secure prompts, interactive lists, clipboard integration. -
💻 Cross-platform
Works on Linux, macOS, and Windows.
Installation
pip install rune
Getting Started
Login / Logout
Before managing secrets, you must select an active user.
At this stage, login does not authenticate or unlock anything — it simply sets the root namespace for secrets.
# Log in as a user
rune login <username>
# Log out
rune logout
The active user determines which secrets are visible and writable.
Adding Secrets
rune add db/prod/my-db -f host=localhost,port,user,password -k super-secret-key
Options:
- Secret names support namespaces using
/ --fields / -f- Comma-separated list of fields
- Fields without values are prompted securely
- If omitted entirely, Rune stores a single-field secret
--key / -k- Encryption key (securely prompted if omitted)
Retrieving Secrets
rune get db/prod/my-db
Example output:
[1] host
[2] port
[3] user
[4] password
Choose a field to copy (q to cancel):
- Selected values are copied to the clipboard by default
- Use
--showto display values in the terminal - Use
--interactiveto pick a secret from a list (rune ls -ishortcut)
Listing Secrets
rune ls
- Secrets are displayed as a namespace tree
- Supports filtering by namespace
- Interactive mode allows direct retrieval
Updating Secrets
rune update db/prod/my-db -f user=new-user,password,new_field=new
- Updates existing fields
- Adds new fields
- Missing values are prompted securely
Moving Secrets
rune move db/prod/my-db db/prod/cassandra
- Renames or relocates a secret within the namespace tree
Deleting Secrets
rune delete db/prod/cassandra
- By default, secrets are soft-deleted (hidden)
- Use
--hardto permanently delete - Hard deletes require the encryption key
Deleting Individual Fields
rune delete db/prod/cassandra -f password
Restoring Secrets
rune restore db/prod/cassandra
- Restores a soft-deleted secret
- All soft-deleted fields are restored
Sessions (Default Encryption Key)
Sessions allow you to keep an encryption key in memory so you don’t have to re-enter it for every operation.
- The key lives only in memory
- Stored in a local background daemon
- Never written to disk
- Communicated via a local TCP socket
Sessions are not accounts or master passwords.
They are simply a convenience mechanism for repeated encryption operations.
Starting a Session
rune session start --session-key <key>
- If the key is omitted, you’ll be prompted securely
- A session TTL can be configured (or disabled)
Ending a Session
rune session end
- Clears the session and removes the key from memory
Session Status
rune session status
Displays:
- Whether a session is active
- Associated user
- Remaining TTL (if any)
Other commands
Show Current Configuration
rune config show
Locate Important Files
rune config where
Shows where Rune stores:
- Settings
- Profiles
- Secrets (local storage)
Profiles
Profiles allow you to save and switch between different configurations.
rune config profile save <name>
rune config profile load <name>
rune config profile list
Storage & Encryption
- Secrets are stored locally (JSON filesystem by default)
- Encryption is always client-side (decrypted secrets and encryption keys NEVER leave memory)
- Encryption mode is configurable (currently
aesgcm)
Roadmap
See ROADMAP.md for planned features and upcoming milestones.
License
Apache License 2.0
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rune-0.8.0.tar.gz.
File metadata
- Download URL: rune-0.8.0.tar.gz
- Upload date:
- Size: 37.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
14238db061294f4df1d0fefb90f21c8f1da50a04c3cd71a4f873eb71ede8d58e
|
|
| MD5 |
71a6827c49ecce2a3aad034d5fad9cad
|
|
| BLAKE2b-256 |
9978898ee6d89c8ea2a818e01245c2b62cf71785291eb3f2a89d23820c89d329
|
File details
Details for the file rune-0.8.0-py3-none-any.whl.
File metadata
- Download URL: rune-0.8.0-py3-none-any.whl
- Upload date:
- Size: 51.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ae3938dee3eb66f8582651c3ef9da7def7b5f5b0987e0b2db85278b3ab78689e
|
|
| MD5 |
9c99b7518a7d2ecf3ee9aabfa1f17a6b
|
|
| BLAKE2b-256 |
ecee45632ead29ea226a86343251515c6edf0906c4997686054314a28d8a467d
|
