deny.sh from your terminal.

Encrypt, protect, and manage secrets without leaving the command line. 9 commands, zero runtime dependencies.

↓

Install

Instant npx deny-sh

Permanent npm install -g deny-sh

Commands

deny-sh protect Interactive seed phrase wizard. Validates BIP-39 word count, then encrypts with two passwords. Generates a zip containing the ciphertext and two control files.

$ deny-sh protect

deny-sh encrypt Encrypt a message or file. Accepts flags or reads from stdin.

$ deny-sh encrypt -m "message" -p1 realpass -p2 decoypass $ echo "secret" | deny-sh encrypt -p1 realpass -p2 decoypass $ deny-sh encrypt -f secret.txt -p1 realpass -p2 decoypass

deny-sh decrypt Decrypt ciphertext using a control file. Supply the control file path and one password (real or decoy).

$ deny-sh decrypt -c control.json -p yourpassword

deny-sh deny Generate a deniable control file for existing ciphertext. Lets you add a plausible decoy after the fact.

$ deny-sh deny -c real-control.json -p2 decoypass -m "decoy message"

deny-sh env protect / restore Protect .env files with deniable encryption. Automatically adds .deny/ to .gitignore.

$ deny-sh env protect .env $ deny-sh env restore .env.deny

deny-sh vault Local encrypted key-value store. Data is encrypted at rest under your vault password.

$ deny-sh vault set API_KEY sk-abc123 $ deny-sh vault get API_KEY $ deny-sh vault list

deny-sh init Create a .deny/ directory in the current project and configure the local settings file.

$ deny-sh init

deny-sh verify Run the full verification test suite locally. Confirms the crypto implementation matches the deny.sh reference vectors.

$ deny-sh verify

deny-sh status Show current config, files stored in .deny/, and API usage summary.

$ deny-sh status

Integrations

1Password

Sync control files to your 1Password vault via the op CLI. Push, pull, list, and check sync status.

deny-sh 1p push
deny-sh 1p pull
deny-sh 1p list
deny-sh 1p status

Bitwarden

Sync control files to Bitwarden via the bw CLI. Same push/pull/list/status interface as 1Password.

deny-sh bw push
deny-sh bw pull
deny-sh bw list
deny-sh bw status

Cloud backup

Encrypted archives to local disk, Google Drive, Dropbox, or S3. Configure once, back up anywhere.

deny-sh backup push
deny-sh backup pull
deny-sh backup list
deny-sh backup config

The .deny/ directory

By convention, deny-sh init creates a .deny/ directory in your project. This is where control files, encrypted backups, and local config live.

.deny/
  config.json          # local settings (API key, vault path)
  *.control.json       # control files for each encrypted item
  *.decoy.json         # decoy control files
  backups/             # local encrypted archive copies

Add .deny/*.control.json to your .gitignore. deny-sh env protect does this automatically for .env files.

Size and dependencies

8.4KB

total size

npm dependencies

Uses only node:crypto from the Node.js standard library. Nothing to audit, nothing to update, nothing that can supply-chain you.