← Back to Docs
Quickstart
Get Sirr running in under two minutes. Start the server, push your first secret, and watch it self-destruct.
1. Run the server
The recommended approach uses a key file for the master encryption key:
# Generate the master key file once
openssl rand -hex 32 > master.key
chmod 400 master.key
docker run -d \
-p 39999:39999 \
-v ./sirr-data:/data \
-v ./master.key:/run/secrets/master.key:ro \
-e SIRR_MASTER_KEY_FILE=/run/secrets/master.key \
ghcr.io/sirrlock/sirrOr for local development (key auto-generated, visible via docker inspect):
docker run -d -p 39999:39999 -v ./sirr-data:/data ghcr.io/sirrlock/sirrOr run the binary directly:
./sirrd serve
# Optionally protect writes: SIRR_API_KEY=my-key ./sirrd serve2. Install the CLI
# macOS
brew install sirrlock/tap/sirr
# Windows
scoop bucket add sirrlock https://github.com/sirrlock/scoop-bucket
scoop install sirr
# Or download from GitHub Releases
# https://github.com/sirrlock/sirr/releasesPoint the CLI at your server:
export SIRR_SERVER=sirr://localhost:39999
export SIRR_API_KEY=my-key # if you set one3. Push and retrieve
# One-time credential (burns after 1 read)
sirr push DB_URL="postgres://..." --reads 1 --ttl 1h
sirr get DB_URL # returns value
sirr get DB_URL # 404 — burned
# Patchable secret (keeps the key, allows value updates)
sirr push CF_TOKEN=abc123 --reads 5 --no-delete
sirr get CF_TOKEN # returns value, reads remaining: 4
# Expiring .env for your team
sirr push .env --ttl 24h
sirr pull .env # on the other machine
# Run a process with secrets injected as env vars
sirr run -- node app.jsNext steps
- CLI Reference — every command and flag
- MCP Integration — give AI assistants direct vault access
- Self-Hosting — Docker, env vars, and architecture
- SDKs — Node.js, Python, and .NET clients