CLI commands 

nr-vault provides several CLI commands for DevOps automation and management.

vault:init 

Initialize the vault by creating a master key.

Command syntax 
vendor/bin/typo3 vault:init [options]
Copied!

Options 

--output, -o
Path to store the master key file (default: configured path or var/vault/master.key).
--force, -f
Overwrite existing master key (dangerous - existing secrets become unrecoverable!).
--env, -e
Output key as environment variable format instead of file.

Example 

vault:init examples 
# Initialize with default location
vendor/bin/typo3 vault:init

# Specify custom key file location
vendor/bin/typo3 vault:init --output=/secure/path/vault.key

# Output as environment variable
vendor/bin/typo3 vault:init --env
Copied!

vault:store 

Store a secret in the vault.

Command syntax 
vendor/bin/typo3 vault:store <identifier> [options]
Copied!

Arguments 

identifier
Unique identifier for the secret.

Options 

--value=SECRET
The secret value (will prompt if not provided).
--description=TEXT
Optional description.
--context=CONTEXT
Optional context for permission scoping.
--expires=TIMESTAMP
Expiration timestamp or relative time (e.g., +90 days).
--groups=GROUPS
Comma-separated list of allowed backend user group IDs.

Example 

vault:store examples 
# Interactive (prompts for secret)
vendor/bin/typo3 vault:store stripe_api_key

# With options
vendor/bin/typo3 vault:store payment_key \
  --value="sk_live_..." \
  --description="Stripe production key" \
  --context="payment" \
  --expires="+90 days" \
  --groups="1,2"
Copied!

vault:retrieve 

Retrieve a secret from the vault.

Command syntax 
vendor/bin/typo3 vault:retrieve <identifier> [options]
Copied!

Options 

--quiet, -q
Output only the secret value (for scripting).

Example 

vault:retrieve examples 
# Display with metadata
vendor/bin/typo3 vault:retrieve stripe_api_key

# For use in scripts
API_KEY=$(vendor/bin/typo3 vault:retrieve -q stripe_api_key)
Copied!

vault:list 

List all accessible secrets.

Command syntax 
vendor/bin/typo3 vault:list [options]
Copied!

Options 

--pattern=PATTERN
Filter by identifier pattern (supports * wildcard).
--format=FORMAT
Output format: table (default), json, csv.

Example 

vault:list examples 
# List all secrets
vendor/bin/typo3 vault:list

# Filter by pattern
vendor/bin/typo3 vault:list --pattern="payment_*"

# JSON output for automation
vendor/bin/typo3 vault:list --format=json
Copied!

vault:rotate 

Rotate a secret with a new value.

Command syntax 
vendor/bin/typo3 vault:rotate <identifier> [options]
Copied!

Options 

--value=SECRET
The new secret value (will prompt if not provided).
--reason=TEXT
Reason for rotation (logged in audit).

Example 

vault:rotate example 
vendor/bin/typo3 vault:rotate stripe_api_key \
  --reason="Scheduled quarterly rotation"
Copied!

vault:delete 

Delete a secret from the vault.

Command syntax 
vendor/bin/typo3 vault:delete <identifier> [options]
Copied!

Options 

--reason=TEXT
Reason for deletion (logged in audit).
--force, -f
Skip confirmation prompt.

Example 

vault:delete example 
vendor/bin/typo3 vault:delete old_api_key \
  --reason="Service deprecated" \
  --force
Copied!

vault:audit 

View the audit log.

Command syntax 
vendor/bin/typo3 vault:audit [options]
Copied!

Options 

--identifier=ID
Filter by secret identifier.
--action=ACTION
Filter by action (create, read, update, delete, rotate).
--days=N
Show entries from last N days (default: 30).
--limit=N
Maximum entries to show (default: 100).
--format=FORMAT
Output format: table (default), json.

Example 

vault:audit examples 
# View recent audit log
vendor/bin/typo3 vault:audit --days=7

# Filter by secret
vendor/bin/typo3 vault:audit --identifier=stripe_api_key

# Export to JSON
vendor/bin/typo3 vault:audit --format=json > audit.json
Copied!

vault:rotate-master-key 

Rotate the master encryption key. Re-encrypts all DEKs with a new master key.

Command syntax 
vendor/bin/typo3 vault:rotate-master-key [options]
Copied!

Options 

--old-key=PATH
Path to file containing the old master key (defaults to current configured key).
--new-key=PATH
Path to file containing the new master key (defaults to current configured key).
--dry-run
Simulate the rotation without making changes.
--confirm
Required for actual execution (safety measure).

Example 

vault:rotate-master-key examples 
# Old key from file, new key from current config
vendor/bin/typo3 vault:rotate-master-key \
  --old-key=/secure/path/old-master.key \
  --confirm

# Both keys from files
vendor/bin/typo3 vault:rotate-master-key \
  --old-key=/path/to/old.key \
  --new-key=/path/to/new.key \
  --confirm

# Dry run to verify before actual rotation
vendor/bin/typo3 vault:rotate-master-key \
  --old-key=/path/to/old.key \
  --dry-run
Copied!

vault:scan 

Scan for potential plaintext secrets in database and configuration.

Command syntax 
vendor/bin/typo3 vault:scan [options]
Copied!

Options 

--format, -f
Output format: table (default), json, or summary.
--exclude, -e
Comma-separated list of tables to exclude (supports wildcards).
--severity, -s
Minimum severity to report: critical, high, medium, low (default: low).
--database-only
Only scan database tables.
--config-only
Only scan configuration files.

The command detects:

  • Database columns with secret-like names (password, api_key, token, etc.).
  • Known API key patterns (Stripe, AWS, GitHub, Slack, etc.).
  • Extension configuration secrets.
  • LocalConfiguration secrets (SMTP password, etc.).

Severity levels 

critical
Known API key pattern detected (Stripe, AWS, etc.).
high
Password or private key column with non-empty value.
medium
Token or API key column with suspicious value.
low
Secret-like column name detected.

Example 

vault:scan examples 
# Scan all sources
vendor/bin/typo3 vault:scan

# Output as JSON for CI/CD
vendor/bin/typo3 vault:scan --format=json

# Exclude cache tables
vendor/bin/typo3 vault:scan --exclude=cache_*,cf_*

# Only show critical issues
vendor/bin/typo3 vault:scan --severity=critical
Copied!

vault:migrate-field 

Migrate existing plaintext database field values to vault storage.

Command syntax 
vendor/bin/typo3 vault:migrate-field <table> <field> [options]
Copied!

Arguments 

table
Database table name (e.g., tx_myext_settings).
field
Field name containing plaintext values to migrate.

Options 

--dry-run
Show what would be migrated without making changes.
--batch-size, -b
Number of records to process per batch (default: 100).
--where, -w
Additional WHERE clause to filter records (e.g., pid=1).
--force, -f
Migrate even if field already contains vault identifiers.
--clear-source
Clear the source field after migration (set to empty string).
--uid-field
Name of the UID field (default: uid).

Example 

vault:migrate-field examples 
# Preview migration
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --dry-run

# Migrate with specific records
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --where="pid=1"

# Migrate and clear source field
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --clear-source
Copied!

vault:cleanup-orphans 

Clean up orphaned vault secrets from deleted TCA records.

When records with vault-backed fields are deleted, the corresponding vault secrets may become orphaned. This command identifies and removes such orphaned secrets.

Command syntax 
vendor/bin/typo3 vault:cleanup-orphans [options]
Copied!

Options 

--dry-run
Show what would be deleted without making changes.
--retention-days, -r
Only delete orphans older than this many days (default: 0).
--table, -t
Only check secrets for this specific table.
--batch-size, -b
Number of secrets to check per batch (default: 100).

Example 

vault:cleanup-orphans examples 
# Preview orphan cleanup
vendor/bin/typo3 vault:cleanup-orphans --dry-run

# Only clean up orphans older than 30 days
vendor/bin/typo3 vault:cleanup-orphans --retention-days=30

# Clean up orphans for specific table only
vendor/bin/typo3 vault:cleanup-orphans --table=tx_myext_settings
Copied!