obscura 命令

常用示例

说明

obscura is a single-binary, cross-platform vault for the API keys, tokens, and other secrets that pile up during local development. Secrets are encrypted on disk with a key derived from a user passphrase via Argon2 and unlocked on demand, so nothing is left in plain text in .env files, shell history, or process environments. Two scopes are supported: a per-project vault stored alongside the repository, and a global vault for the current user. The add --from-global flag copies entries between them, and import / export --dotenv make it easy to migrate from existing dotenv-based workflows. The run subcommand spawns a child process with the vault decrypted into its environment and re-locks afterwards, making obscura a drop-in replacement for ad-hoc export FOO=... shell commands.

参数

init --global

Create a project vault, or a global vault when --global is passed.

add _alias_ --global|--project|--from-global

Store a secret under _alias_, optionally pulling its value from the global vault.

get _alias_

Print the secret stored under _alias_ to stdout.

list, ls --json --global|--project

Display the entries of the active vault.

remove _alias_ --yes

Delete a secret. --yes skips the confirmation prompt.

delete --global|--project --yes

Destroy an entire vault. Both flags are required.

rotate _alias_

Replace the secret value under _alias_ while preserving its timestamps.

import _file_

Import key/value pairs from a dotenv file into the active vault.

export --dotenv --output _file_

Export secrets in dotenv format, either to stdout or to _file_.

run -- _command_ _args_...

Execute _command_ with vault entries injected as environment variables.

unlock --timeout _MINUTES_

Cache the derived vault key for _MINUTES_ (default 60).

lock

Discard any cached vault keys.