Encrypt secrets.Commit safely.Deploy anywhere.

A CLI that encrypts secrets in your git repo and injects them at deploy time.

~/.obscuro

Install Obscuro

How it works

Store a secret

Encrypt and store a secret

terminal

$obscuro set API_KEY --value "sk-live-abc123"

Here's what actually gets committed

.obscuro/secrets.json

{

"API_KEY": "AES256:v1:a3F7x...9kWm="

}

Using the secret

Use placeholders in your files — Docker Compose, Kubernetes manifests, anything.

docker-compose.yml

services:

api:

image: myapp:latest

environment:

API_KEY: __API_KEY__

The __API_KEY__ placeholder gets replaced with the real value at deploy time.

Inject and deploy

Pipe through obscuro inject and deploy

terminal

$obscuro inject < docker-compose.yml | docker compose -f - up

This is what Docker Compose sees

stdin → docker compose

services:

api:

image: myapp:latest

environment:

API_KEY: sk-live-abc123

Secrets injected at runtime — never written to disk

Features

Encrypted at rest

Secrets are encrypted before they touch disk.

Helm-native

One flag to inject secrets at deploy time.

OS Keychain

Master password lives in your system keychain. No env vars needed.

Lives in git

Secrets version-controlled alongside your code. Portable and auditable.

Edit in $EDITOR

Opens in your editor. Re-encrypts on save.

Self-updating

obscuro upgrade. That's it.

Get started

Here's the install script.

$curl -sSL https://raw.githubusercontent.com/janklabs/obscuro/main/install.sh | sh

Or read the docs first

Read the Docs GitHub