CLI commands
nr-vault provides several CLI commands for DevOps automation and management.
vault:init
Initialize the vault by creating a master key.
Command syntax
vendor/bin/typo3 vault:init [options]
Copied!
Options
- --output, -o
- Path to store the master key file (default: configured path or
var/).vault/ master. key - --force, -f
- Overwrite existing master key (dangerous - existing secrets become unrecoverable!).
- --env, -e
- Output key as environment variable format instead of file.
Example
vault:init examples
# Initialize with default location
vendor/bin/typo3 vault:init
# Specify custom key file location
vendor/bin/typo3 vault:init --output=/secure/path/vault.key
# Output as environment variable
vendor/bin/typo3 vault:init --env
Copied!
Warning
The master key file should be stored outside the webroot with restricted permissions (0400 or 0600). Never commit it to version control.
vault:store
Store a secret in the vault.
Command syntax
vendor/bin/typo3 vault:store <identifier> [options]
Copied!
Arguments
- identifier
- Unique identifier for the secret.
Options
- --value=SECRET
- The secret value (will prompt if not provided).
- --description=TEXT
- Optional description.
- --context=CONTEXT
- Optional context for permission scoping.
- --expires=TIMESTAMP
- Expiration timestamp or relative time (e.g.,
+90 days). - --groups=GROUPS
- Comma-separated list of allowed backend user group IDs.
Example
vault:store examples
# Interactive (prompts for secret)
vendor/bin/typo3 vault:store stripe_api_key
# With options
vendor/bin/typo3 vault:store payment_key \
--value="sk_live_..." \
--description="Stripe production key" \
--context="payment" \
--expires="+90 days" \
--groups="1,2"
Copied!
vault:retrieve
Retrieve a secret from the vault.
Command syntax
vendor/bin/typo3 vault:retrieve <identifier> [options]
Copied!
Options
- --quiet, -q
- Output only the secret value (for scripting).
Example
vault:retrieve examples
# Display with metadata
vendor/bin/typo3 vault:retrieve stripe_api_key
# For use in scripts
API_KEY=$(vendor/bin/typo3 vault:retrieve -q stripe_api_key)
Copied!
vault:list
List all accessible secrets.
Command syntax
vendor/bin/typo3 vault:list [options]
Copied!
Options
- --pattern=PATTERN
- Filter by identifier pattern (supports
*wildcard). - --format=FORMAT
- Output format: table (default), json, csv.
Example
vault:list examples
# List all secrets
vendor/bin/typo3 vault:list
# Filter by pattern
vendor/bin/typo3 vault:list --pattern="payment_*"
# JSON output for automation
vendor/bin/typo3 vault:list --format=json
Copied!
vault:rotate
Rotate a secret with a new value.
Command syntax
vendor/bin/typo3 vault:rotate <identifier> [options]
Copied!
Options
- --value=SECRET
- The new secret value (will prompt if not provided).
- --reason=TEXT
- Reason for rotation (logged in audit).
Example
vault:rotate example
vendor/bin/typo3 vault:rotate stripe_api_key \
--reason="Scheduled quarterly rotation"
Copied!
vault:delete
Delete a secret from the vault.
Command syntax
vendor/bin/typo3 vault:delete <identifier> [options]
Copied!
Options
- --reason=TEXT
- Reason for deletion (logged in audit).
- --force, -f
- Skip confirmation prompt.
Example
vault:delete example
vendor/bin/typo3 vault:delete old_api_key \
--reason="Service deprecated" \
--force
Copied!
vault:audit
View the audit log.
Command syntax
vendor/bin/typo3 vault:audit [options]
Copied!
Options
- --identifier=ID
- Filter by secret identifier.
- --action=ACTION
- Filter by action (create, read, update, delete, rotate).
- --days=N
- Show entries from last N days (default: 30).
- --limit=N
- Maximum entries to show (default: 100).
- --format=FORMAT
- Output format: table (default), json.
Example
vault:audit examples
# View recent audit log
vendor/bin/typo3 vault:audit --days=7
# Filter by secret
vendor/bin/typo3 vault:audit --identifier=stripe_api_key
# Export to JSON
vendor/bin/typo3 vault:audit --format=json > audit.json
Copied!
vault:rotate-master-key
Rotate the master encryption key. Re-encrypts all DEKs with a new master key.
Command syntax
vendor/bin/typo3 vault:rotate-master-key [options]
Copied!
Options
- --old-key=PATH
- Path to file containing the old master key (defaults to current configured key).
- --new-key=PATH
- Path to file containing the new master key (defaults to current configured key).
- --dry-run
- Simulate the rotation without making changes.
- --confirm
- Required for actual execution (safety measure).
Warning
Master key rotation re-encrypts all Data Encryption Keys (DEKs). Ensure you have a backup of the old key before proceeding.
Example
vault:rotate-master-key examples
# Old key from file, new key from current config
vendor/bin/typo3 vault:rotate-master-key \
--old-key=/secure/path/old-master.key \
--confirm
# Both keys from files
vendor/bin/typo3 vault:rotate-master-key \
--old-key=/path/to/old.key \
--new-key=/path/to/new.key \
--confirm
# Dry run to verify before actual rotation
vendor/bin/typo3 vault:rotate-master-key \
--old-key=/path/to/old.key \
--dry-run
Copied!
vault:scan
Scan for potential plaintext secrets in database and configuration.
Command syntax
vendor/bin/typo3 vault:scan [options]
Copied!
Options
- --format, -f
- Output format: table (default), json, or summary.
- --exclude, -e
- Comma-separated list of tables to exclude (supports wildcards).
- --severity, -s
- Minimum severity to report: critical, high, medium, low (default: low).
- --database-only
- Only scan database tables.
- --config-only
- Only scan configuration files.
The command detects:
- Database columns with secret-like names (password, api_key, token, etc.).
- Known API key patterns (Stripe, AWS, GitHub, Slack, etc.).
- Extension configuration secrets.
- LocalConfiguration secrets (SMTP password, etc.).
Severity levels
- critical
- Known API key pattern detected (Stripe, AWS, etc.).
- high
- Password or private key column with non-empty value.
- medium
- Token or API key column with suspicious value.
- low
- Secret-like column name detected.
Example
vault:scan examples
# Scan all sources
vendor/bin/typo3 vault:scan
# Output as JSON for CI/CD
vendor/bin/typo3 vault:scan --format=json
# Exclude cache tables
vendor/bin/typo3 vault:scan --exclude=cache_*,cf_*
# Only show critical issues
vendor/bin/typo3 vault:scan --severity=critical
Copied!
vault:migrate-field
Migrate existing plaintext database field values to vault storage.
Command syntax
vendor/bin/typo3 vault:migrate-field <table> <field> [options]
Copied!
Arguments
- table
- Database table name (e.g.,
tx_myext_settings). - field
- Field name containing plaintext values to migrate.
Options
- --dry-run
- Show what would be migrated without making changes.
- --batch-size, -b
- Number of records to process per batch (default: 100).
- --where, -w
- Additional WHERE clause to filter records (e.g.,
pid=1). - --force, -f
- Migrate even if field already contains vault identifiers.
- --clear-source
- Clear the source field after migration (set to empty string).
- --uid-field
- Name of the UID field (default: uid).
Attention
Always backup your database before running migrations.
Example
vault:migrate-field examples
# Preview migration
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --dry-run
# Migrate with specific records
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --where="pid=1"
# Migrate and clear source field
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --clear-source
Copied!
vault:cleanup-orphans
Clean up orphaned vault secrets from deleted TCA records.
When records with vault-backed fields are deleted, the corresponding vault secrets may become orphaned. This command identifies and removes such orphaned secrets.
Command syntax
vendor/bin/typo3 vault:cleanup-orphans [options]
Copied!
Options
- --dry-run
- Show what would be deleted without making changes.
- --retention-days, -r
- Only delete orphans older than this many days (default: 0).
- --table, -t
- Only check secrets for this specific table.
- --batch-size, -b
- Number of secrets to check per batch (default: 100).
Example
vault:cleanup-orphans examples
# Preview orphan cleanup
vendor/bin/typo3 vault:cleanup-orphans --dry-run
# Only clean up orphans older than 30 days
vendor/bin/typo3 vault:cleanup-orphans --retention-days=30
# Clean up orphans for specific table only
vendor/bin/typo3 vault:cleanup-orphans --table=tx_myext_settings
Copied!
vault:audit-migrate-hmac
Migrate existing audit log entries from plain SHA-256 (epoch 0) to
HMAC-SHA256 (target epoch configured via auditHmacEpoch). This command
rehashes all audit log entries using an HMAC key derived from the master key,
upgrading the hash chain from tamper detection to adversarial tamper resistance.
See ADR-023: Audit hash chain HMAC consideration for the architectural decision behind this migration.
Command syntax
vendor/bin/typo3 vault:audit-migrate-hmac [options]
Copied!
Options
- --dry-run
- Show what would be migrated without making changes.
Example
vault:audit-migrate-hmac examples
# Preview migration
vendor/bin/typo3 vault:audit-migrate-hmac --dry-run
# Run the migration
vendor/bin/typo3 vault:audit-migrate-hmac
Copied!
Attention
This command requires a valid master key to derive the HMAC key. Always backup your database before running the migration. Once migrated, entries cannot be reverted to plain SHA-256 without restoring the backup.