Obscuro

Configuration

Password resolution, environment variables, and global flags

Global Flags

These flags work with any command:

FlagWhat it does
-p, --passwordPass the master password inline
--password-fileRead password from a file (use - for stdin)

Password Resolution Order

Obscuro checks these sources in order and uses the first one it finds:

  1. --password flag
  2. --password-file flag
  3. OS keychain (keyed by your vault's salt)
  4. OBSCURO_PASSWORD environment variable
  5. Interactive TTY prompt

Environment Variables

VariableWhat it does
OBSCURO_PASSWORDMaster password (skips the interactive prompt)
OBSCURO_NO_UPDATE_CHECKSet to 1 to stop update checks
EDITOREditor for obscuro edit (defaults to vi)

CI/CD Usage

In automated environments there's no TTY to prompt for a password, so pass it via env var or flag:

export OBSCURO_PASSWORD="$VAULT_SECRET"
obscuro inject < manifests.yaml > decrypted.yaml

Or with a flag:

obscuro --password-file /run/secrets/obscuro-pw inject < manifests.yaml

obscuro version

Print the Obscuro version

Docker Compose

Use Obscuro to inject secrets into Docker Compose projects

On this page

Global FlagsPassword Resolution OrderEnvironment VariablesCI/CD Usage