Eventum Logo

Eventum

$ eventum-keyring

Manage encrypted secrets — set, get, and remove credentials stored in the keyring cryptfile.

A standalone tool for managing secrets stored in an encrypted keyring file. Secrets added here are available in generator configs via ${secrets.name} tokens. See Secrets for the full picture of how secrets work in Eventum.

eventum-keyring is a separate executable from eventum — it is installed alongside it but invoked independently.

eventum-keyring <command> [OPTIONS]

Commands

set

Stores or updates a secret in the keyring.

eventum-keyring set <name> [<value>] [--cryptfile <path>]
ArgumentRequiredDescription
nameYesName of the secret. This is the key used in ${secrets.name} tokens.
valueNoSecret value. If omitted, you are prompted to enter it interactively (input is hidden).
OptionTypeDescription
--cryptfilepathPath to the cryptfile. If it doesn't exist, a new file is created. If omitted, uses the system default location.
# Inline value
eventum-keyring set db_password "s3cret"

# Interactive prompt (hidden input)
eventum-keyring set db_password
# Enter password of `db_password`: ********
# Done

# Custom cryptfile location
eventum-keyring set api_key "tok_abc123" --cryptfile ./project/cryptfile.cfg

Prints Done to stderr on success.

get

Retrieves a secret from the keyring and prints it to stdout.

eventum-keyring get <name> [--cryptfile <path>]
ArgumentRequiredDescription
nameYesName of the secret to retrieve.
OptionTypeDescription
--cryptfilepathPath to the cryptfile. Must exist. If omitted, uses the system default location.
eventum-keyring get db_password
# s3cret

eventum-keyring get api_key --cryptfile ./project/cryptfile.cfg
# tok_abc123

If the secret doesn't exist, prints an error and exits with code 1.

remove

Deletes a secret from the keyring.

eventum-keyring remove <name> [--cryptfile <path>]
ArgumentRequiredDescription
nameYesName of the secret to delete.
OptionTypeDescription
--cryptfilepathPath to the cryptfile. Must exist. If omitted, uses the system default location.
eventum-keyring remove db_password
# Done

Prints Done to stderr on success. If the secret doesn't exist, prints an error and exits with code 1.

Exit codes

All three commands share the same exit code conventions:

CodeMeaning
0Operation completed successfully.
1Error — secret not found, blank name, cryptfile access issue, or other failure.

Environment variables

EVENTUM_KEYRING_PASSWORD

The encryption password used to read and write the cryptfile. Set this before running any keyring command:

export EVENTUM_KEYRING_PASSWORD="your-strong-password"

If the variable is not set, Eventum uses the default password eventum and logs a warning. For production use, always set a custom password.

The same EVENTUM_KEYRING_PASSWORD must be set when running eventum generate or eventum run — otherwise Eventum cannot decrypt the secrets stored in the cryptfile.

The cryptfile

The cryptfile is an AES-encrypted file managed by keyrings.cryptfile. All secrets are stored under the service name eventum.

The --cryptfile flag on each command controls which file is used. This should match the path configured elsewhere:

ContextWhere the path is set
eventum runpath.keyring_cryptfile in eventum.yml
eventum generate--cryptfile flag
eventum-keyring--cryptfile flag on each subcommand

When --cryptfile is omitted, all three tools fall back to the system default keyring location.

Examples

Setting up secrets for a project:

export EVENTUM_KEYRING_PASSWORD="project-key"

# Store credentials
eventum-keyring set opensearch_password "prod-password" --cryptfile ./cryptfile.cfg
eventum-keyring set ch_password "clickhouse-secret" --cryptfile ./cryptfile.cfg
eventum-keyring set auth_password "admin-password" --cryptfile ./cryptfile.cfg

# Verify
eventum-keyring get opensearch_password --cryptfile ./cryptfile.cfg
# prod-password

Then reference them in configs:

generator.yml
output:
  - opensearch:
      hosts:
        - https://opensearch:9200
      username: admin
      password: ${secrets.opensearch_password}
eventum generate \
  --id my-gen \
  --path ./generator.yml \
  --cryptfile ./cryptfile.cfg

Rotating a secret:

# Update the value — same name overwrites the previous secret
eventum-keyring set opensearch_password "new-password" --cryptfile ./cryptfile.cfg

# Restart or hot-reload to pick up the change
kill -HUP $(pgrep -f "eventum run")

$ eventum run

Run Eventum as a full application — web server, REST API, multiple generators, and hot reload.

What's Next

You've covered the core of Eventum — here's where to go from here depending on what you want to do next.

On this page

CommandssetgetremoveExit codesEnvironment variablesEVENTUM_KEYRING_PASSWORDThe cryptfileExamples