Skip to content
Quickstart

.env variables

Brume reads configuration from a .env file in the current working directory (or from the process environment if .env is absent). Two categories: secrets (mandatory) and connections (one source, one target).

These two values are the “additional information” of GDPR Art. 4.5 — protect them at the same level as the source data.

VariableRequiredDescription
BRUME_HMAC_SECRETyesSeeds FAKE, HASH, linked_columns. Any high-entropy string ≥ 32 chars.
BRUME_FPE_KEYyesKeys the FF1 cipher used by FPE_ID / FPE_UUID. Must be at least 16 characters.

The database Brume reads from. Use a read-only account.

VariableRequiredDescription
BRUME_SOURCE_HOSTyesHostname or IP
BRUME_SOURCE_PORTnoPort. Default 5432.
BRUME_SOURCE_DByesDatabase name
BRUME_SOURCE_USERyesUsername (read-only recommended)
BRUME_SOURCE_PASSWORDyesPassword
BRUME_SOURCE_SSLMODEnodisable · prefer · require · verify-full. Default prefer.

Either a Postgres connection or a directory for .sql output. Set one block, not both.

VariableRequiredDescription
BRUME_TARGET_HOSTyesHostname or IP
BRUME_TARGET_PORTnoPort. Default 5432.
BRUME_TARGET_DByesDatabase name
BRUME_TARGET_USERyesUsername (must be able to CREATE and INSERT)
BRUME_TARGET_PASSWORDyesPassword
BRUME_TARGET_SSLMODEnoSame values as source.
VariableRequiredDescription
BRUME_TARGET_FILEyesPath to the .sql file Brume will write
BRUME_TARGET_FILE_COMPRESSnogzip to compress on the fly. Default: uncompressed.

When BRUME_TARGET_FILE is set, the Postgres target variables are ignored.

VariableRequiredDefaultDescription
BRUME_FK_DEPTH_OVERRIDEnoOverrides extraction.fk_depth from brume.yml. Useful in CI for quick smoke runs.
BRUME_PARALLELISMno4Number of worker threads for transformation.
BRUME_LOG_FORMATnoprettypretty or json. --json flag overrides this.
BRUME_LOCALEnosystemLocale for Datafaker (e.g. fr_FR, en_US, de_DE).
Terminal window
# --- Secrets (protect at the level of the source data) ---
BRUME_HMAC_SECRET=8aZb4...kpR9 # ≥ 32 chars, high entropy
BRUME_FPE_KEY=AnotherSecret16ch # ≥ 16 chars
# --- Source (read-only) ---
BRUME_SOURCE_HOST=db.prod.internal
BRUME_SOURCE_DB=app_production
BRUME_SOURCE_USER=brume_reader
BRUME_SOURCE_PASSWORD=...
BRUME_SOURCE_SSLMODE=require
# --- Target = local Postgres ---
BRUME_TARGET_HOST=localhost
BRUME_TARGET_DB=app_dev
BRUME_TARGET_USER=app
BRUME_TARGET_PASSWORD=...
# --- Options ---
BRUME_PARALLELISM=8
BRUME_LOCALE=fr_FR

Creating a read-only account on the source

Section titled “Creating a read-only account on the source”

Suggested minimal grants:

CREATE ROLE brume_reader WITH LOGIN PASSWORD '...';
GRANT CONNECT ON DATABASE app_production TO brume_reader;
GRANT USAGE ON SCHEMA public TO brume_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO brume_reader;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO brume_reader;

Adjust the schema name if your tables live outside public.