Skip to main content

Designing a Secure CLI App

Design considerations for a secure CLI:

  • Least privilege: store data in a user-specific directory with restrictive permissions.
  • Explicit secrets handling: never print secrets, avoid storing plaintext on disk.
  • Clear UX for security: make it easy for users to use secure defaults.

Example: CLI subcommands

vault add --name email --value
vault get --name email
vault list

Directory layout:

  • ~/.vault_cli/
    • data.enc
    • config.json (minimal, no secrets)

Lesson: Good security starts at design: minimize what must be trusted.