Skip to content

CLI

Jump to bottom
José Carrillo edited this page Jun 13, 2026 · 2 revisions

CLI (zefer-cli)

zefer-cli is the official command-line companion. It uses the same binary format and cryptographic parameters as the web app, so .zefer files are fully cross-compatible. It is ideal for scripting, automation, CI pipelines, and terminal workflows.

zefer-cli runs three ways: as a CLI (this page), as an MCP Server, and as a Library.

Install

npm install -g zefer-cli        # recommended (requires Node.js 20+)
npx zefer-cli <command>         # without installing

Standalone binaries (no Node.js required):

Platform Download
Linux x64 .../releases/latest/download/zefer-linux-x64
Linux ARM64 .../releases/latest/download/zefer-linux-arm64
macOS Intel .../releases/latest/download/zefer-macos-x64
macOS Apple Silicon .../releases/latest/download/zefer-macos-arm64
Windows x64 .../releases/latest/download/zefer-win-x64.exe

(Base URL: https://github.com/carrilloapps/zefer-cli.) Each release includes a checksums.txt for integrity verification.

Commands

Encrypt

zefer encrypt report.pdf -p mypassphrase          # → report.pdf.zefer
zefer encrypt --text "secret note" -p pass -o note.zefer
echo "api_key=abc123" | zefer encrypt - -p pass -o secrets.zefer   # from stdin
cat document.pdf | zefer encrypt - -p pass -o document.zefer

Full security options:

zefer encrypt secret.txt \
  -p "main-passphrase" \
  -2 "second-key" --dual-key \      # two-person authorization
  --reveal "reveal-passphrase" \    # share without exposing the main key (ZEFR3)
  -q "Pet name?" -a "firulais" \    # secret question (PBKDF2-hashed answer)
  --ttl 1440 \                      # expires in 24 hours (minutes)
  --max-attempts 3 \                # lock after 3 failed attempts
  --allowed-ips "10.0.0.1,::1" \    # IPv4/IPv6 allowlist
  --hint "two parts needed" \       # public hint
  --note "For Alice only" \         # public note
  -c gzip \                         # compress before encrypting
  -i 1000000 \                      # 1M PBKDF2 iterations (0 = auto-benchmark)
  --verbose

Decrypt

zefer decrypt report.pdf.zefer -p mypassphrase   # file mode: writes report.pdf
zefer decrypt note.zefer -p mypassphrase         # text mode: prints to stdout
zefer decrypt note.zefer -p mypassphrase | grep "important"

Generate a passphrase

zefer keygen                          # 64-char base64url (recommended)
zefer keygen --mode alpha --length 32 # printable ASCII
zefer keygen --mode hex   --length 32 # hex token
zefer keygen --mode uuid              # UUID
zefer keygen --mode unicode --length 24
zefer keygen --count 5                # 5 keys at once

Inspect (without the passphrase)

zefer info secret.zefer
# Shows: format (ZEFB3/ZEFR3), mode, iterations, compression, hint, note.
# Security details (expiry, IP, question, attempts) stay invisible without the passphrase.

Analyze a password

zefer analyze "Tr0ub4dor&3"
# Score, entropy, keyspace, post-quantum entropy, crack times,
# and NIST / OWASP / AES-128 compliance checks.

MCP server

zefer mcp     # start the Model Context Protocol server (stdio)

See MCP Server.

Flags reference

encrypt [input] [options]
  input                 file path, - for stdin, or use --text
  -o, --output          output path (default: <input>.zefer)
  -p, --passphrase      passphrase (prompted if omitted)
  -2, --second          second passphrase (dual-key)
  -r, --reveal          reveal key (ZEFR3)
  -t, --text            encrypt text directly
  --hint / --note       public hint / note
  -q, --question        secret question
  -a, --answer          secret-question answer
  --ttl <minutes>       expiration (0 = never)
  -i, --iterations      PBKDF2 iterations (0 = auto-benchmark)
  -c, --compression     none | gzip | deflate | deflate-raw
  --max-attempts        max decryption attempts (0 = unlimited)
  --allowed-ips         comma-separated IPv4/IPv6
  --dual-key            enable dual-key mode (requires -2)
  --verbose             show security details

decrypt <input> [options]
  -o, --output          output path (default: stdout / original name)
  -p, --passphrase / -2 / -a   passphrase / second / answer
  --force               overwrite an existing output file

keygen [options]
  -m, --mode            alpha | hex | uuid | secure | unicode (default: secure)
  -l, --length          length in characters (default: 64)
  -n, --count           number of keys (default: 1)

info <input>            show the public header without decrypting

Automation examples

# Encrypt all .env files before committing
for f in *.env; do zefer encrypt "$f" -p "$ZEFER_PASS" -o "encrypted/$f.zefer"; done

# Decrypt and pipe into another tool
zefer decrypt secrets.zefer -p "$ZEFER_PASS" | jq '.api_key'

# Verify a wrong passphrase exits non-zero
if ! zefer decrypt file.zefer -p wrong 2>/dev/null; then echo "wrong passphrase (expected)"; fi

📖 Glossary — terms on this page: AES-256-GCM · PBKDF2 · dual passphrase · reveal key · secret question · TTL / expiration · compression · MCP · entropy. Full list in the Glossary.

📖 New to a term? See the Glossary. · Zefer · Repository · CLI · MIT © José Carrillo

Zefer Wiki

Guides

Security

Channels

Tools

Project

Reference

Clone this wiki locally