Ennote Documentation
login

Overview with Install Guide

The Ennote CLI is an identity-driven, zero-persistence secret manager designed for developers and CI/CD environments. It natively bridges the gap between human identity (SSO) and infrastructure, allowing you to fetch, inject, and manage enterprise secrets without writing plaintext .env files to disk.

Installation

We provide signed, pre-compiled binaries for all major operating systems.

macOS & Linux (Homebrew)

bash
brew install ennote-io/tap/ennote

Windows (Scoop)

powershell
scoop bucket add ennote-io https://github.com/ennote-io/scoop-bucket
scoop install ennote

Universal Shell Script (CI/CD)

For headless environments, Alpine Linux, or raw CI/CD runners:

bash
curl -sSfL https://get.ennote.io/get-cli.sh | sh

Pre-compiled binaries, .deb, .rpm, and .apk packages are also available on our Releases Page .

Security & Provenance

Enterprise security is our foundational principle. Every release is entirely automated and cryptographically verifiable.

  • Software Bill of Materials (SBOM): We attach a standard SPDX/CycloneDX SBOM (.sbom.json) to every compiled artifact.
  • Keyless Signatures: All release checksums are signed using Sigstore Cosign via GitHub OIDC tokens.
  • Zero Persistence Pipeline: No human developer possesses the cryptographic keys to publish or sign a release.

Architectural Cryptography

The Ennote CLI operates on a strict Zero-Persistence threat model:

  • Hardware-Backed Cryptography:Implements Ephemeral Elliptic-Curve Diffie-Hellman (X25519) combined with Post-Quantum CRYSTALS-Kyber (Kyber-1024) encapsulation. 

  • RAM-Only Decapsulation:Secrets are decapsulated strictly in volatile memory. Plaintext Data Encryption Keys (DEKs) are explicitly destroyed using compiler-safe memory wiping routines before functions exit. 

  • OS-Native Keyrings:Authentication tokens are stored securely in the native OS Keyring (macOS Keychain, Windows Credential Manager, Linux Secret Service), never in plaintext config files. 

  • Strict Transport Security:Requires TLS 1.3 for all remote gRPC connections, with hardcoded downgrade prevention. 

Need Help?

If you encounter any issues or have questions, don’t hesitate to contact support. Our team is here to assist you with any challenges you might face.

Was this page helpful?

© 2026 Ennote.io. All Rights Reserved.