Custodia commands

custodia server

Custodia server

usage: custodia [-h] [--debug] [--instance INSTANCE] [configfile]

Positional Arguments

configfile Path to custodia server config (default: /etc/custodia/{instance}/custodia.conf)

Named Arguments


Debug mode

Default: False

--instance Instance name

custodia client

Custodia command line interface

usage: custodia-cli [-h] [--server SERVER | --instance INSTANCE]
                    [--uds-urlpath UDS_URLPATH] [--header HEADER] [--verbose]
                    [--debug] [--timeout TIMEOUT] [--cafile CAFILE]
                    [--certfile CERTFILE] [--keyfile KEYFILE] [--gssapi]
                    {mkdir,rmdir,ls,get,set,del,plugins} ...

Named Arguments

--server Custodia server location, supports http://, https://, or path to a unix socket.

Instance name (default: CUSTODIA_INSTANCE or ‘custodia’)

Default: custodia


URL path for Unix Domain Socket

Default: “/secrets/”

--header Extra headers
--verbose Default: False
--debug Default: False

Connection timeout

Default: 10.0

--cafile PEM encoded file with root CAs

TLS client cert auth

--certfile PEM encoded file with certs for TLS client authentication
--keyfile PEM encoded key file (if not given, key is read from certfile)



Use Negotiate / GSSAPI auth

Default: False



Create a container

custodia-cli mkdir [-h] name
Positional Arguments
name key


Delete a container

custodia-cli rmdir [-h] name
Positional Arguments
name key


List content of a container

custodia-cli ls [-h] name
Positional Arguments
name key


Get secret

custodia-cli get [-h] name
Positional Arguments
name key


Set secret

custodia-cli set [-h] name value
Positional Arguments
name key
value value


Delete a secret

custodia-cli del [-h] name
Positional Arguments
name key


List plugins

custodia-cli plugins [-h] [--verbose]
Named Arguments

Verbose mode, show failing plugins.

Default: False