Init Command
Use the init command to create and manage encryption keys that secure API Ops CLI configurations.
On this page:
Overview
The init command is used to initialize the encryption keys that are required by the API Ops CLI.
These keys help you to:
- Secure sensitive data such as passwords, tokens, and secrets.
- Encrypt and decrypt values in configuration files.
- Protect PKI keystore passwords.
Init command usage
Run this command:
- During the initial setup of the API Ops CLI.
- If the encryption key file is missing or corrupted.
- During the encryption key rotation process.
Syntax
The following is the syntax for the init command:
Copy
./api-ops.sh command=init \
baseConfigFolder=<path_to_config_folder> \
encryptionKeystorePath=<path_to_encryption_keystore>The following table shows the parameter description:
| Parameter | Required | Description |
|---|---|---|
| command | Yes | Specifies the operation to run. Set this value to init to generate the encryption keys required by the API Ops CLI. |
| baseConfigFolder | Yes | Specifies the path to the API Ops CLI configuration directory that contains the files used during encryption key initialization. |
| encryptionKeystorePath | Yes | Specifies the path to the encryption keystore file that stores the generated encryption keys. |
Example:
Execute the init command from the /bin directory:
Copy
./api-ops.sh command=init baseConfigFolder=/Users/apiops.user/Temp/api-ops-2026.1.0/config encryptionKeystorePath=/Users/apiops.user/Temp/api-ops-2026.1.0/keystore/encryption-keystore.p12Result:
After you run the init command:
- The CLI creates a PKCS12 encryption keystore that contains a 256‑bit AES key at the specified path.
- The CLI scans all YAML files in the baseConfigFolder directory.
- The CLI replaces each pwd:<plaintext> value with an encrypted enc:<ciphertext> value in-place on disk.
- The CLI leaves non‑sensitive values such as URLs, usernames, and paths unchanged.
At runtime, the CLI decrypts enc: values in memory only. The encrypted values on disk remain encrypted and are never reverted to plaintext.
Example:
Copy
New encryption key created at /Users/apiops.user/Temp/api-ops-2026.1.0/keystore/encryption-keystore.p12
WARNING: Encryption keystore at /Users/apiops.user/Temp/api-ops-2026.1.0/keystore/encryption-keystore.p12. Do NOT commit this file to version control. Add to .gitignore. Protect with chmod 600.
Found 3 YAML file(s) in /Users/apiops.user/Temp/api-ops-2026.1.0/config
Processing config file: environment-config.yaml
Encrypted 5 pwd: value(s)
Processing config file: export-config.yaml
No pwd: or enc: values found — nothing to encrypt
Processing config file: import-config.yaml
No pwd: or enc: values found — nothing to encrypt
api-ops init complete. Keystore created, 3 file(s) processed.Example: Encrypted data
Before:
Copy
environments:
dev:
tenantUserName: "admin@dev.example.com"
tenantPassword: "pwd:changeit"
pmUserName: "administrator"
pmPassword: "pwd:changeit"After:
Copy
environments:
dev:
tenantUserName: "admin@dev.example.com"
tenantPassword: "enc:CCuLAM9vhWUE5kqpchXGPsPd6axu+fbkPMap6v//zNvma4W/YQ=="
pmUserName: "administrator"
pmPassword: "enc:EcG4vJHTsjmV0FKOdcyYKvK4s6TE+P6dEHE162I6RD9pmNYf"Rotate encryption keys
Rotate encryption keys to maintain the security of sensitive data used by the API Ops CLI.
Consider the following when rotating encryption keys:
- Store the keystore in a secure location with restricted access.
- Do not commit the keystore to version control.
- Rotate encryption keys periodically.