Skip to content

AnkaSecure CLI – Command Reference

CLI build version: 3.0.0 Executable: AnkaSecureCLI
Invocation pattern: 

AnkaSecureCLI <command> [options]

The CLI is a thin wrapper over the AnkaSecure API—all cryptographic work happens server-side.
Global flags available on every command:

Flag Purpose
-h, --help Print command-specific usage.
-V, --version Display CLI build version.
--config-path=<file> Use an alternate cli.properties file.

Table of Contents

  1. Initialisation
  2. Key Lifecycle
  3. Algorithm Discovery
  4. Non-Streaming File Crypto
  5. Streaming File Crypto
  6. Public-Key Utility Streams
  7. Operational Limits
  8. Best Practices

Initialisation

init

Option Required Description
--force Overwrite an existing credential store.
--silent Non-interactive mode. All credentials must be passed via flags.
--client-id=<id> when --silent Application clientId issued by AnkaSecure.
--client-secret=<secret> when --silent Application clientSecret issued by AnkaSecure.
--config-path=<file> Alternate location for cli.properties.

Initialises an AES-GCM–encrypted credential store. Must be run once before any other command.

Key Lifecycle

generate-key

Create a brand-new key on the server.

Option Required Description
--kid=<kid> ✔︎ Logical identifier (unique).
--kty=<kty> ✔︎ Key type (e.g. RSA, ML-KEM, oct).
--alg=<alg> ✔︎ Algorithm / parameter set.
--key-ops=<ops>[,…] Allowed operations (encrypt, decrypt, sign, verify).
--exportable Mark key as exportable.
--validity-days=<n> Hard expiry in n days.
--soft-validity-days=<n> Soft-limit expiry in n days.
--max-usage-limit=<n> Hard operation counter.
--soft-usage-limit=<n> Soft operation counter.
--config-path=<file> Alternate cli.properties.

import-key

Import any key from a JSON document (KeyImportRequest or ExportedKeySpec).

Option Required Description
--json-file=<file> ✔︎ Path to JSON definition.
--config-path=<file> Alternate properties file.

import-key-pkcs12

Load a private key from a PKCS#12 bundle.

Option Required Description
--kid=<kid> ✔︎ Identifier to store the key under.
--p12-file=<file> ✔︎ .p12 / .pfx bundle (binary).
--p12-password=<pwd> Password if the bundle is protected.
--config-path=<file> Alternate properties file.

list-keys

Return metadata for all stored keys.

Option Description
--config-path=<file> Alternate properties file.

export-key

Export public material + metadata as JSON.

Option Required Description
--kid=<kid> ✔︎ Key identifier.
--output-file=<file> ✔︎ Destination JSON file.
--config-path=<file> Alternate properties file.

remove-key

Hard-delete a key.

Option Required Description
--kid=<kid> ✔︎ Key identifier.
--config-path=<file> Alternate properties file.

revoke-key

Set status → REVOKED.

Option Required Description
--kid=<kid> ✔︎ Key identifier.
--config-path=<file> Alternate properties file.

patch-key

Apply an RFC 7396 JSON Merge-Patch to update limits or expiry.

Option Required Description
--kid=<kid> ✔︎ Target key.
--expires-at=<RFC3339> New hard expiry.
--soft-limit-expiration=<RFC3339> New soft expiry.
--soft-usage-limit=<n> New soft operation cap.
--max-usage-limit=<n> New hard operation cap.
--config-path=<file> Alternate properties file.

create-rotation

Immediate rotation to a successor key.

Option Required Description
--kid=<currentKid> ✔︎ Key to be rotated.
--successor-kid=<newKid> ✔︎ Identifier for the new key.
--kty=<kty> ✔︎ Key type of successor.
--alg=<alg> ✔︎ Algorithm / parameter set.
--key-ops=<ops>[,…] Allowed operations for successor.
--exportable Mark successor as exportable.
--validity-days=<n> Hard expiry (days).
--soft-validity-days=<n> Soft expiry (days).
--max-usage-limit=<n> Hard usage cap.
--soft-usage-limit=<n> Soft usage cap.
--config-path=<file> Alternate properties file.

Algorithm Discovery

get-supported-algorithms

Retrieve the supported algorithm catalogue with optional server-side filtering.

Filter Options:

Option Type Description
--kty=<types> comma-separated Filter by key type(s): ML-KEM, ML-DSA, RSA, EC, oct
--alg=<algorithms> comma-separated Filter by algorithm(s): ML-KEM-768, RSA-4096, etc.
--category=<category> string Filter by category: POST_QUANTUM, CLASSICAL
--status=<status> string Filter by status: RECOMMENDED, LEGACY
--key-ops=<ops> comma-separated Required operations: encrypt, decrypt, sign, verify
--security-level=<n> integer Exact NIST security level: 1, 3, or 5
--min-security-level=<n> integer Minimum NIST security level (inclusive)
--max-security-level=<n> integer Maximum NIST security level (inclusive)
--standards=<standards> comma-separated Required standards: NIST, BSI, ANSSI, etc.
--composite-mode=<modes> comma-separated Composite modes: HYBRID_KEM_COMBINE, DUALSIGN
--composite-only flag Only algorithms supporting composite keys

Output Options:

Option Description
--format=<format> Output format: detailed (default), table, json
--count Show only the count of matching algorithms
--config-path=<file> Alternate properties file.

Filter Logic:

  • AND: --key-ops, --standards (must support ALL specified values)
  • OR: --kty, --alg, --composite-mode (matches ANY specified value)

Examples:

# List all algorithms
get-supported-algorithms

# Post-quantum algorithms only
get-supported-algorithms --category POST_QUANTUM

# Recommended algorithms at security level 3+
get-supported-algorithms --status RECOMMENDED --min-security-level 3

# Encryption-capable algorithms in table format
get-supported-algorithms --key-ops encrypt,decrypt --format table

# Count PQC algorithms
get-supported-algorithms --category POST_QUANTUM --count

# JSON output for scripting
get-supported-algorithms --format json | jq '.[].alg'

Non-Streaming File Crypto

encrypt-file

Option Required Description
--kid=<kid> ✔︎ Public key for encryption.
--input-file=<file> ✔︎ Plaintext source.
--output-file=<file> ✔︎ Compact JWE destination.
--config-path=<file> Alternate properties file.

decrypt-file

Option Required Description
--input-file=<file> ✔︎ Compact JWE source.
--output-file=<file> ✔︎ Plaintext destination.
--config-path=<file> Alternate properties file.

sign-file

Option Required Description
--kid=<kid> ✔︎ Private key for signing.
--input-file=<file> ✔︎ Data to sign.
--output-jws-file=<file> ✔︎ Compact JWS destination.
--config-path=<file> Alternate properties file.

verify-signature

Option Required Description
--jws-file=<file> ✔︎ Compact JWS to verify.
--config-path=<file> Alternate properties file.

reencrypt-file

Option Required Description
--new-kid=<kid> ✔︎ Public key that will protect the refreshed JWE.
--input-file=<file> ✔︎ Original Compact JWE.
--output-file=<file> ✔︎ New Compact JWE.
--config-path=<file> Alternate properties file.

resign-file

Option Required Description
--new-kid=<kid> ✔︎ Private key for the replacement signature.
--old-jws-file=<file> ✔︎ Original Compact JWS.
--new-jws-file=<file> ✔︎ Refreshed Compact JWS.
--config-path=<file> Alternate properties file.

Streaming File Crypto

encrypt-file-stream

Option Required Description
--kid=<kid> ✔︎ Public key for encryption.
--input-file=<file> ✔︎ Plaintext source.
--output-file=<file> ✔︎ Detached JWET destination.
--config-path=<file> Alternate properties file.

decrypt-file-stream

Option Required Description
--input-file=<file> ✔︎ Detached JWET source.
--output-file=<file> ✔︎ Plaintext destination.
--config-path=<file> Alternate properties file.

sign-file-stream

Option Required Description
--kid=<kid> ✔︎ Private key for signing.
--input-file=<file> ✔︎ Data stream.
--output-signature-file=<file> ✔︎ Detached-JWS destination.
--config-path=<file> Alternate properties file.

verify-signature-stream

Option Required Description
--input-file=<file> ✔︎ Data stream.
--input-signature-file=<file> ✔︎ Detached-JWS to verify.
--config-path=<file> Alternate properties file.

reencrypt-file-stream

Option Required Description
--new-kid=<kid> ✔︎ Public key that will protect the refreshed ciphertext.
--input-file=<file> ✔︎ Original detached JWET.
--output-file=<file> ✔︎ New detached JWET.
--source-kid-override=<kid> Override when legacy JWE header lacks kid.
--config-path=<file> Alternate properties file.

resign-file-stream

Option Required Description
--new-kid=<kid> ✔︎ Private key for new signature.
--old-signature-file=<file> ✔︎ Existing detached-JWS.
--input-file=<file> ✔︎ Data stream.
--new-signature-file=<file> ✔︎ Refreshed detached-JWS.
--config-path=<file> Alternate properties file.

Public-Key Utility Streams

encrypt-file-publickey-stream

Encrypt with a caller-supplied public key (not stored server-side).

Option Required Description
--kty=<kty> ✔︎ Key type.
--alg=<alg> ✔︎ Algorithm / parameter set.
--public-key=<json> ✔︎ JSON file holding ExportedKeySpec.publicKey.
--input-file=<file> ✔︎ Plaintext source.
--output-file=<file> ✔︎ Detached JWET destination.
--config-path=<file> Alternate properties file.

verify-signature-publickey-stream

Verify with a caller-supplied public key.

Option Required Description
--kty=<kty> ✔︎ Key type.
--alg=<alg> ✔︎ Algorithm / parameter set.
--public-key=<json> ✔︎ JSON file holding ExportedKeySpec.publicKey.
--input-signature-file=<file> ✔︎ Detached-JWS to verify.
--input-file=<file> ✔︎ Data stream.
--config-path=<file> Alternate properties file.

Operational Limits

Resource Default (Demo tenant)
Max JSON payload 5 MiB
Max streaming chunk size 5 MiB
Access-token lifetime 1 h
Refresh-token lifetime 72 h

Custom limits are available for production tenants—contact support.

Best Practices

  1. Run init once per environment; never store plaintext credentials.
  2. Use *-stream commands for any artefact larger than 5 MiB.
  3. Rotate keys with create-rotation and leverage warnings in API responses.
  4. Query get-supported-algorithms before generate-key to enforce policy.
  5. Gate CI/CD jobs on CLI exit codes—non-zero means failure.

© 2025 ANKATech Solutions INC. All rights reserved.
Relative links ensured for seamless MkDocs integration.