SI Vault Ops
Use this workflow for secure secret management with SI vault.
Fast path
- •Check vault state first:
bash
si vault status si vault check
- •If needed, initialize:
bash
si vault init
- •Read or update keys:
bash
si vault get KEY si vault set KEY value si vault unset KEY
- •Run commands with decrypted env:
bash
si vault run -- <cmd>
Guardrails
- •Never print full secret values unless explicitly requested.
- •Prefer
si vault runover exporting decrypted variables into shell history. - •Keep file paths explicit when not using defaults (
--file). - •For trust issues, inspect recipients and trust store before rotating:
bash
si vault recipients si vault trust
Validation
- •After writes, run:
bash
si vault check si vault status
- •Confirm expected key presence with:
bash
si vault list