Quickstart: generate a key and encrypt your first secret

This guide walks you through the core rskey workflow: generating a key file, encrypting a sensitive value, and confirming the key with its fingerprint. The examples use Posit Package Manager paths, but the same steps apply to Connect and Workbench — swap the key file path and any --mode flag as needed.

Install rskey

Download a binary release for your platform or install with Go. See the installation guide for full instructions.

go install github.com/rstudio/rskey@latest

Confirm the installation:

rskey --version

Generate a key

Use rskey generate to create a new key file. Pass -o to write directly to a file instead of standard output. The command sets file permissions to 0600 automatically.

rskey generate -o /var/lib/rstudio-pm/rstudio-pm.key

If you want to inspect the key or pipe it elsewhere, omit -o and the key is written to standard output instead:

rskey generate

The key is 512 hex-encoded, securely-generated random bytes — equivalent to openssl rand -hex 512.

Keep your key file secret. Anyone who has the key file can decrypt all values encrypted with it. Store it in a secrets manager, a Kubernetes Secret, or another access-controlled location — never in version control.

Encrypt a value

Use rskey encrypt with -f pointing to your key file. When you run the command interactively, rskey prompts you to type the sensitive value twice (input is not echoed to the terminal):

rskey encrypt -f /var/lib/rstudio-pm/rstudio-pm.key

Type the sensitive data to encrypt, then press Enter:
Type the sensitive data again:
{encrypted output}

Copy the output and paste it into your product’s configuration file.To encrypt multiple values non-interactively, pass them as newline-separated lines on standard input:

cat passwords.txt | rskey encrypt -f /var/lib/rstudio-pm/rstudio-pm.key

rskey outputs one encrypted value per line, in the same order as the input.

Verify with fingerprint

Use rskey fingerprint to print a short identifier for the key file. Posit products log this fingerprint when they load a key, so you can use it to confirm that the product is using the correct key.

rskey fingerprint -f /var/lib/rstudio-pm/rstudio-pm.key

The default fingerprint algorithm is SHA-256. For Workbench keys, rskey uses CRC-32 to match the fingerprint format Workbench records in its logs.

What’s next?

Posit Connect
Package Manager
Workbench
FIPS mode

Posit Connect guide

Learn how to generate keys, encrypt configuration values, and reference encrypted secrets in rstudio-connect.gcfg for Connect deployments.

Package Manager guide

Set up key files and encrypt database passwords for Posit Package Manager, including automated provisioning with rspm configure.

Workbench guide

Work with Workbench-specific key formats (rskey or UUID), AES-128-CBC encryption, and the --mode=workbench flag.

FIPS mode guide

Switch to AES-256-GCM encryption with --mode=fips for Connect 2022.03.0+ and Package Manager 2024.04.0+ deployments that require FIPS 140 compliance.

Get Started

Commands

Guides

Reference

Quickstart: generate a key and encrypt your first secret

What’s next?

Posit Connect guide

Package Manager guide

Workbench guide

FIPS mode guide

Build docs developers (and LLMs) love

Get Started

Commands

Guides

Reference

Documentation Index

​What’s next?

Posit Connect guide

Package Manager guide

Workbench guide

FIPS mode guide

Build docs developers (and LLMs) love

What’s next?