CLI Tool

Tayra includes a command-line tool for PII data protection operations that can be run outside your application. Use it for assembly scanning, compliance report generation, key management, database verification, and brownfield migration -- all from the terminal or a CI/CD pipeline.

Install

Install as a global .NET tool:

bash

dotnet tool install --global Tayra.Cli

Or as a local tool in your project:

bash

dotnet new tool-manifest   # if you don't have one yet
dotnet tool install Tayra.Cli

After installation, invoke commands with dotnet tayra:

bash

dotnet tayra --help

Commands

inventory

Scan a compiled assembly to produce a PII data map. The command loads the assembly via reflection and finds all types annotated with [PersonalData], [DataSubjectId], [DeepPersonalData], [SerializedPersonalData], and [BlindIndex] attributes.

bash

dotnet tayra inventory --assembly bin/Release/net9.0/MyApp.dll

Options

Option	Alias	Required	Default	Description
`--assembly <path>`	`-a`	Yes		Path to the compiled assembly to scan
`--format <format>`	`-f`	No	`table`	Output format: `table`, `json`, or `markdown`

Example Output

Found 3 entity type(s) with PII annotations:

  MyApp.Models.Customer
    [DataSubjectId] CustomerId : String
    [PersonalData] FullName : String
    [PersonalData] Email : String
    [BlindIndex] Email : String
    [PersonalData] PhoneNumber : String

  MyApp.Models.Employee
    [DataSubjectId] EmployeeId : String
    [PersonalData] Name : String
    [PersonalData] SSN : String

  MyApp.Models.Order
    [DataSubjectId] CustomerId : String
    [PersonalData] ShippingAddress : String
    [DeepPersonalData] ContactInfo : ContactDetails

Summary: 3 entities, 6 PII fields

verify

Verify encryption coverage in a live database. The command connects to the database, queries columns that correspond to PII-annotated properties, and checks that stored values match the Tayra wire format (version byte + 12-byte nonce + ciphertext + 16-byte auth tag).

bash

dotnet tayra verify --connection "Host=localhost;Database=myapp;Username=postgres;Password=secret"

Options

Option	Alias	Required	Description
`--connection <conn>`	`-c`	Yes	Database connection string

Use as a Deployment Gate

Add verify to your CI/CD pipeline to ensure encryption is complete before deploying:

yaml

# GitHub Actions example
- name: Verify encryption coverage
  run: dotnet tayra verify --connection "${{ secrets.DB_CONNECTION_STRING }}"

If any PII-annotated columns contain unencrypted values, the command exits with a non-zero status code.

report

Generate a compliance report. The command supports all five report types provided by ITayraCompliance.

bash

dotnet tayra report --type article30 --output art30-report.html

Options

Option	Alias	Required	Default	Description
`--type <type>`	`-t`	Yes		Report type (see below)
`--output <path>`	`-o`	No	stdout	Output file path

Report Types

Type	Description
`article30`	GDPR Art. 30 -- Records of Processing Activities
`access`	GDPR Art. 15 -- Data Subject Access Report
`breach`	GDPR Art. 33/34 -- Breach Notification Report
`coverage`	Encryption Coverage Report
`key-lifecycle`	Key Lifecycle Report

Examples

bash

# Generate Art. 30 report to a file
dotnet tayra report --type article30 --output compliance/art30-report.html

# Generate encryption coverage report to stdout
dotnet tayra report --type coverage

# Generate key lifecycle report for the last 30 days
dotnet tayra report --type key-lifecycle --output key-lifecycle.html

health

Check key store connectivity and health. The command connects to the configured key store, performs a probe operation, and reports the status and latency.

bash

dotnet tayra health --provider postgresql --connection "Host=localhost;Database=keystore"

Options

Option	Alias	Required	Default	Description
`--provider <provider>`	`-p`	No	`postgresql`	Key store provider: `postgresql`, `vault`, `azure`, `aws`, `inmemory`
`--connection <conn>`	`-c`	No		Connection string or endpoint for the key store

Examples

bash

# Check PostgreSQL key store
dotnet tayra health --provider postgresql --connection "Host=db.internal;Database=keystore"

# Check HashiCorp Vault
dotnet tayra health --provider vault --connection "https://vault.internal:8200"

# Check Azure Key Vault
dotnet tayra health --provider azure --connection "https://mykeyvault.vault.azure.net"

# Check AWS KMS
dotnet tayra health --provider aws --connection "us-east-1"

rotate-key

Rotate an encryption key to a new version. The old key is preserved for decrypting existing data. New encryptions will use the rotated key.

bash

dotnet tayra rotate-key --key-id "cust-customer-123"

Options

Option	Alias	Required	Description
`--key-id <id>`	`-k`	Yes	Base key ID to rotate (e.g., `"cust-customer-123"`)

After rotation, the new key is created with a version suffix (e.g., cust-customer-123:v2). The old key remains available for decrypting existing data. To re-encrypt data with the new key, use the migrate command or call tayra.ReEncryptAsync() in your application code.

Example

bash

# Rotate a customer's encryption key
dotnet tayra rotate-key --key-id "cust-customer-123"

# After rotation, re-encrypt data to use the new key
dotnet tayra migrate --connection "$DB_CONNECTION_STRING"

shred

Crypto-shred all data for a data subject by permanently deleting their encryption key. This is an irreversible operation -- all encrypted data for the subject becomes permanently unreadable.

bash

dotnet tayra shred --subject "customer-123" --confirm

Options

Option	Alias	Required	Description
`--subject <id>`	`-s`	Yes	Data subject ID to crypto-shred
`--confirm`		No	Confirm the irreversible shredding operation

DANGER

The --confirm flag is required to execute the shredding operation. Without it, the command prints a warning and exits without making changes. This is a safety measure -- crypto-shredding is permanent and cannot be undone.

Example

bash

# Preview what will happen (no --confirm flag)
dotnet tayra shred --subject "customer-123"
# Output:
#   WARNING: This operation is IRREVERSIBLE.
#   All encryption keys for this subject will be permanently deleted.
#   Encrypted data will become unrecoverable.
#
#   To proceed, run: dotnet tayra shred --subject "customer-123" --confirm

# Execute the shredding operation
dotnet tayra shred --subject "customer-123" --confirm

migrate

Run a brownfield migration to encrypt existing plaintext data in a database. The command scans for PII-annotated columns containing cleartext values and encrypts them in batches.

bash

dotnet tayra migrate --connection "Host=localhost;Database=myapp" --batch-size 500

Options

Option	Alias	Required	Default	Description
`--connection <conn>`	`-c`	Yes		Database connection string
`--batch-size <n>`		No	`1000`	Number of rows to process per batch
`--dry-run`		No	`false`	Preview migration without making changes

Examples

bash

# Preview migration (no data changes)
dotnet tayra migrate --connection "$DB_CONN" --dry-run

# Run migration with default batch size (1000)
dotnet tayra migrate --connection "$DB_CONN"

# Run migration with smaller batches for memory-constrained environments
dotnet tayra migrate --connection "$DB_CONN" --batch-size 100

# Run migration with larger batches for fast servers
dotnet tayra migrate --connection "$DB_CONN" --batch-size 2000

WARNING

Always back up your database before running a migration. See the Brownfield Adoption guide for the full migration workflow including verification and rollback strategies.

CI/CD Integration

The CLI tool is designed for pipeline use. Here are common patterns:

Deployment Gate

Verify encryption coverage before deploying a new release. If any PII fields contain unencrypted values, the pipeline fails:

yaml

# GitHub Actions
jobs:
  verify-encryption:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '9.0'
      - run: dotnet tool install --global Tayra.Cli
      - run: dotnet tayra verify --connection "${{ secrets.DB_CONNECTION_STRING }}"

Compliance Documentation

Generate an updated PII data map on every release and commit it to a compliance repository:

yaml

# GitHub Actions
jobs:
  compliance-docs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '9.0'
      - run: dotnet build --configuration Release
      - run: dotnet tool install --global Tayra.Cli
      - run: dotnet tayra inventory --assembly bin/Release/net9.0/MyApp.dll --format json > compliance/pii-inventory.json
      - run: dotnet tayra inventory --assembly bin/Release/net9.0/MyApp.dll --format markdown > compliance/pii-data-map.md
      - run: dotnet tayra report --type coverage --output compliance/encryption-coverage.html

Pre-Deployment Key Store Health Check

Verify key store connectivity before deploying:

yaml

# GitHub Actions
- name: Check key store health
  run: dotnet tayra health --provider postgresql --connection "${{ secrets.KEYSTORE_CONNECTION }}"

CLI Tool ​

Install ​

Commands ​

inventory ​

Options ​

Example Output ​

verify ​

Options ​

Use as a Deployment Gate ​

report ​

Options ​

Report Types ​

Examples ​

health ​

Options ​

Examples ​

rotate-key ​

Options ​

Example ​

shred ​

Options ​

Example ​

migrate ​

Options ​

Examples ​

CI/CD Integration ​

Deployment Gate ​

Compliance Documentation ​

Pre-Deployment Key Store Health Check ​

See Also ​

CLI Tool

Install

Commands

inventory

Options

Example Output

verify

Options

Use as a Deployment Gate

report

Options

Report Types

Examples

health

Options

Examples

rotate-key

Options

Example

shred

Options

Example

migrate

Options

Examples

CI/CD Integration

Deployment Gate

Compliance Documentation

Pre-Deployment Key Store Health Check

See Also