cli

deny.sh from your terminal.

Encrypt, protect, and manage secrets without leaving the command line. Core crypto commands plus vault, tripwires, password-manager bridges, and verification, all with a minimal dependency surface.


Install

Instant npx deny-sh
Permanent npm install -g deny-sh

Commands

deny-sh protect Interactive seed phrase wizard. Validates BIP-39 word count, then encrypts with two passwords. Generates a zip containing the ciphertext and two control files.
$ deny-sh protect
deny-sh encrypt Encrypt a message or file. Accepts flags or reads from stdin.
$ deny-sh encrypt -m "message" -p1 pass1 -p2 pass2 $ echo "secret" | deny-sh encrypt -p1 pass1 -p2 pass2 $ deny-sh encrypt -f secret.txt -p1 pass1 -p2 pass2
deny-sh decrypt Decrypt ciphertext using a control file. Supply the ciphertext, the control file, and both passwords. Which plaintext you recover is determined by the control file in play.
$ deny-sh decrypt -i encrypted.bin -c control.dat -p1 pass1 -p2 pass2
deny-sh deny Generate a deniable control file for existing ciphertext. Lets you add a plausible decoy after the fact.
$ deny-sh deny -i encrypted.bin -p1 pass1 -p2 pass2 -m "decoy message" -o decoy-control.dat
deny-sh env protect / restore Protect .env files with deniable encryption. Automatically adds .deny/ to .gitignore.
$ deny-sh env protect .env $ deny-sh env restore .env.deny
deny-sh vault Local encrypted key-value store. Data is encrypted at rest under your vault password.
$ deny-sh vault set API_KEY sk-abc123 $ deny-sh vault get API_KEY $ deny-sh vault list
deny-sh init Create a .deny/ directory in the current project and configure the local settings file.
$ deny-sh init
deny-sh verify Run the full verification test suite locally. Confirms the crypto implementation matches the deny.sh reference vectors.
$ deny-sh verify
deny-sh status Show current config, files stored in .deny/, and API usage summary.
$ deny-sh status

Integrations

1Password

Sync control files to your 1Password vault via the op CLI. Push, pull, list, and check sync status.

deny-sh 1p push
deny-sh 1p pull
deny-sh 1p list
deny-sh 1p status

Bitwarden

Sync control files to Bitwarden via the bw CLI. Same push/pull/list/status interface as 1Password.

deny-sh bw push
deny-sh bw pull
deny-sh bw list
deny-sh bw status

Cloud backup

Encrypted archives to local disk, Google Drive, Dropbox, or S3. Configure once, back up anywhere.

deny-sh backup push
deny-sh backup pull
deny-sh backup list
deny-sh backup config

The .deny/ directory

By convention, deny-sh init creates a .deny/ directory in your project. This is where control files, encrypted backups, and local config live.

.deny/
  config.json          # local settings (API key, vault path)
  *.control.json       # control files for each encrypted item
  *.decoy.json         # decoy control files
  backups/             # local encrypted archive copies

Add .deny/*.control.json to your .gitignore. deny-sh env protect does this automatically for .env files.

Size and dependencies

~3KB
SDK core (minified)
1
runtime npm dep

AES-256-CTR via node:crypto from the Node.js standard library. Argon2id via hash-wasm, a pure-WebAssembly module with no transitive runtime deps and a small audited surface. The CLI itself adds commander for argument parsing.