Manage Credentials new in v0.33.0

Credentials provide your identity on SecretHub and allow you to decrypt all the secrets you have access to on SecretHub. All the machines you personally want to access SecretHub with need their own credential. This command allows you to manage these credentials.

Currently there are two types of credentials:

Key Credentials
This type of credential lives as a file on your machine. This is the default type of credentials and it is created when using the secrethub signup or secrethub init commands.
Backup Codes
This is a special type of credential that can be used to restore access to your account in case you lose access to your other credentials. Backup Codes can be generated with the secrethub credential backup command. Every SecretHub user is advised to create at least a single Backup Code and store it somewhere safely (for example by writing it down and storing in a safe deposit box). If you do not do this, you’ll be at risk for losing the secrets in your personal workspace. And in your company’s workspace you’d have to ask an admin to give you access again.

Using Multiple Devices

If you want to use your SecretHub account on another device, you have to create a new credential for it. Currently, the way to do this, is by creating a Backup Code and using it on the secondary device. Assuming device A is your current device and you want to start using SecretHub on device B, you have to take the following steps:

  1. Run secrethub credential backup on device A and note the Backup Code.
  2. Run secrethub init on device B and enter the previously generated Backup Code.
  3. Optionally run secrethub credential disable to disable the Backup Code if you do not plan to use it anymore.

All Commands

To manage your credentials, you can use the following commands:

All credentials are identified by a unique fingerprint of 64 hexadecimal characters. Most commands only display the first 16 characters of the fingerprint and also accept this shortened version as input.

List new in v0.33.0

To list all your credentials, you can use the credential ls command:

secrethub credential ls [options]

The credential ls command prints out a list of all your credentials.


-T, --timestamp
Show timestamps formatted to RFC3339 instead of human readable durations.

Backup new in v0.33.0

To create a backup code for your account, you can use the credential backup command:

secrethub credential backup [options]

This will output a 64 character long Backup Code. It can later be restored with the secrethub init command.

Disable new in v0.33.0

When you no longer want to use a certain credential or have reasons to assume the credential has been compromised, you can disable an existing credential by using the credential disable command:

secrethub credential disable [options] [<fingerprint>]

A disabled credential can no longer be used on SecretHub. When you use SecretHub on a machine that uses a disabled credential, any operation will lead to the following error message:

Encountered an error: credential is disabled


[<fingerprint>] (string)
The fingerprint of the credential to disable. If you do not provide this argument, you will be prompted for its value.

See Also