diff --git a/src/main.rs b/src/main.rs
index d55abdb..b69eae9 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -40,7 +40,6 @@ struct Cli {
     raw_key: Option<Zeroizing<String>>,
 
     /// Read passphrase interactively (terminal). Implies argon2id KDF on encrypt.
-    /// This is the default when no key source is specified.
     #[clap(short, long)]
     passphrase: bool,
 
@@ -159,13 +158,8 @@ fn run(mut cli: Cli) -> Result<(), FcryError> {
     let raw_key_str: Option<Zeroizing<String>> = cli.raw_key.take();
     let pw_src: Option<PassphraseSource> = if cli.passphrase {
         Some(PassphraseSource::Tty)
-    } else if let Some(var) = cli.passphrase_env.take() {
-        Some(PassphraseSource::EnvVar(var))
-    } else if raw_key_str.is_none() {
-        // Default to interactive TTY passphrase when no key source is given.
-        Some(PassphraseSource::Tty)
     } else {
-        None
+        cli.passphrase_env.take().map(PassphraseSource::EnvVar)
     };
 
     let decrypt_mode = cli.decrypt;
@@ -184,6 +178,12 @@ fn run(mut cli: Cli) -> Result<(), FcryError> {
     let length = cli.length;
     drop(cli);
 
+    if pw_src.is_none() && raw_key_str.is_none() {
+        return Err(FcryError::Format(
+            "must provide one of --raw-key, --passphrase, --passphrase-env".into(),
+        ));
+    }
+
     if decrypt_mode {
         let raw_key = match raw_key_str.as_deref() {
             Some(s) => Some(parse_raw_key(s)?),