ov auth
import { Aside } from ‘@astrojs/starlight/components’;
Commands
Section titled “Commands”| Command | Description |
|---|---|
ov auth login | Authenticate and store API key locally |
ov auth change-password | Change your master password and re-wrap all DEKs |
ov auth derive-machine-key | Generate a machine key file for non-interactive use |
ov auth login
Section titled “ov auth login”ov auth loginPrompts for your email and master password. OpaqueVault derives your Key Encryption Key (KEK) from the password using Argon2id — the KEK never leaves your machine. An API key is created and stored in ~/.config/ov/config.toml.
On first login, a default app is created automatically.
ov auth change-password
Section titled “ov auth change-password”ov auth change-passwordChanges your master password. Prompts for your current password and new password, then atomically re-wraps every DEK under the new KEK. All secrets remain decryptable with the new password — nothing is re-encrypted from scratch.
ov auth derive-machine-key
Section titled “ov auth derive-machine-key”ov auth derive-machine-key --out /etc/ov/machine.kekDerives a 32-byte machine key from your master password and writes it to a file at 0600 permissions. Used for non-interactive environments (CI/CD, servers, systemd services) where prompting for a password is not possible.
# Flags--out PATH Path to write the machine key file (required)Once generated, pass the file to commands that support --machine-key:
ov run --machine-key /etc/ov/machine.kek --secrets DATABASE_URL -- ./migrateov agent start --machine-key /etc/ov/machine.kek --app my-saasSee Machine key setup for a full guide on non-interactive deployments.