secrethub

Print a secret to stdout

$ secrethub read [path/to/secret]

$ secrethub generate [path/to/secret]

$ secrethub write --clip [path/to/secret]

$ echo "[secret_value]" | secrethub write [path/to/secret]

$ secrethub audit [path/to/repo_or_secret]

secrethub [GLOBAL_OPTIONS] COMMAND [COMMAND_OPTIONS] [ARGUMENTS]

--debug
    Enables verbose debug logging for the command execution, useful for troubleshooting issues.

--json
    Outputs the command's result in a structured JSON format, ideal for scripting and automation.

--log-level <level>
    Sets the minimum log level for output messages. Common values include info, warn, error, and debug.

--version
    Prints the installed SecretHub CLI version and exits.

COMMAND_SPECIFIC_OPTIONS
    Each secrethub COMMAND (e.g., read, write, run) has its own set of specific options that control its behavior. These are typically listed in the help output for each subcommand (e.g., `secrethub read --help`).

secrethub is the command-line interface (CLI) for SecretHub, a cloud-based platform designed for centralized and secure management of application secrets. It allows developers and operations teams to store, retrieve, and manage sensitive data like API keys, database credentials, and certificates securely. The CLI provides commands to integrate secret management into development workflows, enabling actions such as reading secrets, writing new secrets, managing access controls, and injecting secrets directly into applications as environment variables or files. Its core purpose is to minimize the risk of exposing sensitive information by providing a secure, auditable, and version-controlled environment for secrets. Users authenticate to the SecretHub service, and all secret operations are encrypted and permission-controlled.

Using secrethub requires an active SecretHub account and proper authentication. Network connectivity to the SecretHub service is essential for most operations. Access to secrets is strictly controlled by permissions, meaning users can only interact with secrets they are explicitly authorized to access. The CLI stores configuration and authentication tokens locally, necessitating secure handling of the user's system to prevent unauthorized access to these credentials.

The secrethub command operates primarily through subcommands, each designed for a specific task. Key subcommands include:
read: Retrieves a secret from SecretHub.
write: Stores a new secret or updates an existing one.
run: Executes a command with secrets injected into the environment.
ls: Lists secrets or directories within SecretHub.
acl: Manages access control lists for secrets and paths.
login: Authenticates the CLI with the SecretHub service.

Secrets in SecretHub are organized hierarchically using paths, similar to a file system (e.g., secrethub://my-org/my-app/database/password). These paths are crucial for uniquely identifying secrets and applying granular access controls and permissions.

Users authenticate to the SecretHub service using various methods, including a SecretHub account with personal access tokens, or through integrations with cloud provider identity management systems (e.g., AWS IAM, Azure AD, GCP IAM). Once authenticated, session tokens are securely stored locally to maintain access.

SecretHub originated as an independent company focused on providing a cloud-native secrets management platform. It was later acquired by HashiCorp in April 2021. Post-acquisition, SecretHub continued to operate as a distinct product within the HashiCorp portfolio, complementing HashiCorp Vault by offering a fully managed SaaS solution for secrets, particularly appealing to organizations seeking a cloud-first approach without managing the underlying infrastructure.

vault(1), pass(1), gpg(1), aws(1), gcloud(1)