Examples and Recipes

Examples and Recipes

Practical, copy-paste recipes for common tasks. Web steps use the app at https://zefer.carrillo.app; terminal steps use the CLI; code steps use the Library. All produce the same interoperable .zefer files.

Golden rule: send the .zefer file and its passphrase through different channels (e.g., file by email, passphrase by chat). A file alone is useless to anyone who intercepts it.

1. Share an API key with a teammate

Web: Encrypt tab → Text → paste the key → set a passphrase → Encrypt & download → send the .zefer file; share the passphrase separately.

CLI:

echo "API_KEY=sk_live_9f2c8a1b" | zefer encrypt - -p "a-strong-passphrase" -o api-key.zefer
# Recipient:
zefer decrypt api-key.zefer -p "a-strong-passphrase"

2. A self-destructing secret (expires automatically)

zefer encrypt notes.txt -p "pass" --ttl 60      # opens for 60 minutes, then never

Web: pick an expiration (30 min … 2 weeks). After the deadline the file refuses to decrypt. See TTL / expiration.

3. Two-person authorization (dual passphrase)

Require both people to be present to open the file:

zefer encrypt merger.pdf -p "alice-secret" -2 "bob-secret" --dual-key
# Decrypt needs both:
zefer decrypt merger.pdf.zefer -p "alice-secret" -2 "bob-secret"

See dual passphrase.

4. Share without revealing your main passphrase (reveal key)

zefer encrypt report.pdf -p "my-private-key" --reveal "share-2026"
# Give the recipient ONLY "share-2026" — they decrypt without ever seeing your main key:
zefer decrypt report.pdf.zefer -p "share-2026"

See reveal key.

5. Add a secret question

zefer encrypt secret.txt -p "pass" -q "Project codename?" -a "bluebird"

Only a hash of the answer is stored. See secret question.

6. Restrict decryption to specific IPs

zefer encrypt secret.txt -p "pass" --allowed-ips "203.0.113.5,::1"

7. Encrypt all .env files before committing (CI / automation)

for f in *.env; do
  zefer encrypt "$f" -p "$ZEFER_PASS" -o "encrypted/$f.zefer"
done

8. Use it inside a shell pipeline

# Encrypt from stdin, decrypt to stdout, pipe into another tool
echo '{"api_key":"abc"}' | zefer encrypt - -p "$P" -o creds.zefer
zefer decrypt creds.zefer -p "$P" | jq '.api_key'

9. Encrypt from a Node.js service or AWS Lambda (library)

import { encodeZefer } from "zefer-cli";
import { writeFile } from "node:fs/promises";

const buf = await encodeZefer({
  content: process.env.SECRET ?? "",
  passphrase: process.env.ZEFER_PASS!,
  fileName: null,
  expiresAt: 0,
  compression: "gzip",
  iterations: 600_000,   // always pass explicit iterations — the library never auto-benchmarks
});
await writeFile("out.zefer", buf);

See Library.

10. Let an AI agent encrypt/decrypt for you (MCP)

Add the server to your MCP client, then ask the agent to use it:

{ "mcpServers": { "zefer": { "command": "npx", "args": ["-y", "zefer-cli", "mcp"] } } }

The agent gains zefer_encrypt, zefer_decrypt, zefer_keygen, zefer_analyze_password, zefer_inspect. See MCP Server.

11. Generate strong keys for different needs

zefer keygen                              # 64-char passphrase (recommended)
zefer keygen --mode base58 --length 24    # readable, safe to dictate
zefer keygen --mode hex --length 32       # hex token
zefer keygen --mode uuid                  # an identifier
zefer keygen --count 5                    # five at once

Or use the web Password Generator and Analyzer.

12. Pre-fill a decrypt link

https://zefer.carrillo.app/?t=decrypt&p=thePassphrase

The passphrase is auto-cleared from the address bar after it loads. See URL Parameters.

---

📖 Glossary — terms on this page: TTL / expiration · dual passphrase · reveal key · secret question · compression · MCP · PBKDF2. Full list in the Glossary.