Command reference

Every command, grouped by purpose — what it does, when to reach for it, and its flags and caveats. This mirrors dew <command> --help; for a task-first walkthrough, see the guide.

Identity

One global age identity per machine, shared across all your repos. The private key encrypts and decrypts your images; it never gets committed or synced.

dew keygen

Create the one age identity this machine uses. Run it once per machine, before you pack anything. It refuses to overwrite an existing identity, and writes the private key 0600.

dew keygen

See also: key push to set the same identity up on another machine — don't run keygen there.

dew key status

Show whether this machine has an identity and print its public key. Use it to confirm a machine is set up before you restore.

dew key status

dew key push <user@host>

Provision this machine's identity onto another machine over SSH — the one-time bootstrap so a second machine can decrypt your images. Verifies the host key the normal way (an unknown host aborts), creates ~/.dew and writes the key 0600 there, and verifies the result.

dew key push vbarooah@nvk2
dew key push vbarooah@nvk2 --yes     # skip the confirmation

Flag	Description
`--force`	Overwrite a different identity already on the target (no-op if it's the same).
`-y, --yes`	Skip the confirmation prompt.

This is one of two commands that transmit your private key — only when you run it, to a machine you control. dew sync still never moves the key. Don't run dew keygen on the new machine. Requires ssh/scp.

dew key pull <user@host>

The mirror of key push: fetch the identity from a machine that has it onto this one. Downloads to a temp file and verifies it matches the source's public key before installing — a bad download never clobbers your local key — and won't replace a different local identity without --force.

dew key pull vbarooah@nvk2

Flag	Description
`--force`	Replace a different identity already on this machine.
`-y, --yes`	Skip the confirmation prompt.

dew key devices

List where this machine's identity has been sent or received via key push/pull — peer, direction, public-key fingerprint, when. Each transfer records on both ends.

dew key devices

A best-effort audit log, not a registry or revocation tool: manual key copies aren't recorded, and dew has no key rotation — so removing an entry doesn't de-provision a machine.

Repository

The committed half of the model: .dew/manifest.yaml declares the project, image name, and the allow-list of files to manage. It holds paths only — never secrets, contents, or keys.

dew init

Set up dew in the current repo by creating .dew/manifest.yaml. Commit that file — it's how a clone knows which image to fetch. Refuses to overwrite an existing manifest.

dew init
dew init --project billing-svc      # name independent of the folder
dew init --from-gitignore           # seed the allow-list from discovered candidates

Flag	Description
`-p, --project <name>`	Project name (default: the directory's base name); becomes the image filename `<name>.dew.age`.
`--from-gitignore`	Seed the allow-list with discovered candidates.

dew scan

Suggest local files worth tracking — reads .gitignore and the working tree and lists candidates, filtering out noise (build output, logs). It only suggests; nothing is added until you opt in.

dew scan

dew add <path>...

Track one or more files or directories — a one-time declaration recorded in the manifest; dew pack then always uses their current contents. Paths outside the repo are rejected.

dew add .env.local certs/dev.pem    # track specific paths
dew add .                           # interactively add discovered candidates
dew add . --yes                     # add all discovered candidates

Flag	Description
`-y, --yes`	With `add .`, accept all discovered candidates without prompting.

dew add . adds the candidates scan found — not every file in the repo.

dew remove <path>... (alias: rm)

Stop tracking one or more paths. Removing a path that isn't tracked is a harmless no-op; the next dew pack reflects the change.

dew remove .env.local

dew list (alias: ls)

Show this repo's allow-list — the files dew manages — and the project name. These are the paths dew pack will include.

dew list

See also: rules for the deny layers too.

dew rules

Show the effective rules: the allow-list plus the three deny layers that keep noise out — built-in patterns, your global ~/.dew/config.yaml, and the repo's manifest. Use it to understand why a path is included or skipped.

dew rules

Image

Pack turns your tracked files into one encrypted image; restore brings them back. Pipeline: files → tar → zstd → age encrypt, and the reverse.

dew pack

Encrypt the tracked files into ~/.dew/images/<project>.dew.age (written atomically). Run it after you add or change a tracked file — pack always uses the current contents, so you declare files once and never re-add. The deny-list keeps noise out even from allow-listed directories.

dew pack
dew pack --dry-run                  # preview what would be included; write nothing
dew pack --force                    # overwrite an image created by a different repo

Flag	Description
`--dry-run`	List what would be packed (files + sizes); write nothing. Needs no identity.
`--force`	Overwrite an image created by a different repo.

Each image is bound to the repo that created it; pack refuses to overwrite a different repo's image without --force.

dew restore

Hydrate the working tree from this repo's image — decrypt, decompress, and write the tracked files back. This is what makes a fresh clone runnable; pair it with dew sync pull on a new machine.

dew restore
dew restore --dry-run               # preview new / unchanged / conflicts; change nothing
dew restore --force                 # overwrite local files that differ from the image

Flag	Description
`--dry-run`	Preview the written / unchanged / conflict classification; change nothing.
`--force`	Overwrite local files that differ from the image.

Safe by default: files are staged first, and any local file that differs from the image is reported as a conflict and left untouched unless you pass --force — there's no version history, so a careless restore can't lose your edits.

dew hydrate

The same operation as restore, with the same flags — dew's signature verb, surfaced as its own command.

dew hydrate
dew hydrate --dry-run

Sync

A single destination, set with dew remote and stored in ~/.dew/config.yaml. Local/mounted paths are copied directly; remote host:path destinations go over scp, inheriting your SSH config. Sync moves the encrypted image only — never the private key.

dew remote

Manage the sync destination. With no subcommand it prints the current destination; set changes it (a local path or scp-style host:path); unset clears it.

dew remote                        # show the current destination
dew remote set /Volumes/nas/dew   # a local/mounted path
dew remote set nas:/volume1/dew   # an scp-style remote
dew remote unset                  # clear it

dew remote test

Check the configured destination is actually usable before you rely on dew sync — reachable, trusted (host key), and writable. Exits non-zero if not. For a local path it catches the classic "the volume isn't mounted"; for a remote it reports OpenSSH's own verdict.

dew remote test

Uses ssh for remote destinations (local checks need nothing).

dew remote images

List the images stored at the destination — the mirror of dew images (which lists this machine's). Confirms a push landed, or shows what a new machine can pull.

dew remote images

dew sync

Push this repo's encrypted image to the destination you configured with dew remote set, so another machine can fetch it. Run it after dew pack.

dew sync

dew sync pull

Fetch this repo's image from the destination into ~/.dew/images, so you can restore it. Run it on a fresh clone, then dew restore. Your identity must already be on this machine to decrypt.

dew sync pull

Health & inventory

dew status

A per-repo snapshot: whether your identity and manifest are present, whether an image exists, how many files are tracked, the hydration state, and the configured sync destination. A quick check after cloning or before packing.

dew status

See also: doctor for a diagnosis with the exact fix.

dew doctor

Check the repo end to end and report the one thing to fix next — a missing identity, no manifest, an unpacked or undecryptable image, files waiting to be restored — or confirm it's fully hydrated. Unlike status, it verifies the image actually decrypts, and every problem comes with the exact command to run. Start here whenever a clone isn't working.

dew doctor

dew images

A global inventory of every image dew manages in ~/.dew/images — project, size, when it was last packed, and which repo owns it. Runs from anywhere.

dew images

dew version

Print the version, commit, build date, and Go toolchain — handy when reporting a bug. (Also available as dew --version.)

dew version

Global

Item	Description
`-h, --help`	Help for any command. Every command's `--help` is self-contained.
`-v, --version`	Print the version.
`DEW_HOME`	Environment variable that overrides the dew home directory (default `~/.dew`) — handy for testing or isolating identities.

Exit codes

dew exits non-zero on error (printed as dew: error: …). Notable cases: restore with unresolved conflicts (no --force); pack against another repo's image (no --force); keygen/init when the target already exists; remote test when the destination is unusable; a required tool (scp/ssh) missing for a remote.

For a task-first walkthrough see the guide; for the deepest detail, the command reference and user manual on GitHub.