Skip to main content

Lightweight API to store/retrieve secrets to/from an encrypted Database

Project description

VaultAPI

Lightweight API to store/retrieve secrets to/from an encrypted Database

VaultAPI is designed to be extremely lightweight, secure, and easy to use. It provides cutting-edge security features like AES-GCM, Fernet encryption, and rate limiting all out of the box. It also includes transit encryption to ensure that the secrets are encrypted during transit to protect against man-in-the-middle attacks.

Python

Platform Supported

Platform docker-image

Deployments

docker pypi

coverage dependabot

markdown pages

Pypi Pypi-format Pypi-status

Kick off

Recommendations

Install VaultAPI

python -m pip install vaultapi

Initiate - IDE

import vaultapi

if __name__ == '__main__':
    vaultapi.start()

Initiate - CLI

vaultapi start

Use vaultapi --help for usage instructions.

Environment Variables

Sourcing environment variables from an env file

By default, VaultAPI will look for a .env file in the current working directory.

Mandatory

  • APIKEY - API Key for authentication.
  • SECRET - Secret access key to encrypt/decrypt the secrets in the Datastore.

Optional (with defaults)

  • TRANSIT_KEY_LENGTH - AES key length for transit encryption. Defaults to 32
  • TRANSIT_TIME_BUCKET - Interval for which the transit epoch should remain constant. Defaults to 60
  • AUTHORIZATION_VALIDITY - Time in seconds for which the authorization header is valid. Defaults to 30
  • DATABASE - FilePath to store the secrets' database. Defaults to secrets.db
  • HOST - Hostname for the API server. Defaults to 0.0.0.0 [OR] localhost
  • PORT - Port number for the API server. Defaults to 9010
  • WORKERS - Number of workers for the uvicorn server. Defaults to 1
  • RATE_LIMIT - List of dictionaries with max_requests and seconds to apply as rate limit. Defaults to 5req/2s [AND] 10req/30s

Optional (without defaults)

  • LOG_CONFIG - FilePath or dictionary of key-value pairs for log config.
  • ALLOWED_ORIGINS - List of origins that should be allowed through CORS.

Optional (UI integration)

  • ENABLE_UI - Boolean flag to enable the UI. Defaults to false
  • AUTH_DATABASE - FilePath to store the UI authentication database. Defaults to auth.db
  • TOTP_TOKEN - Secret token for TOTP authentication in the UI. Can be generated using any TOTP generator app like Google Authenticator or Authy.
  • UI_LIFETIME - Time in seconds for which the UI session should remain active. Defaults to 900 (15 minutes)
Auto generate a SECRET value

This value will be used to encrypt/decrypt the secrets stored in the database.

CLI

vaultapi keygen

IDE

from cryptography.fernet import Fernet
print(Fernet.generate_key())

API Functionality

Endpoint Description API method Authorization Header
/health API health endpoint GET N/A
/get-secret Retrieve secrets (comma separated list) GET HMAC-SHA512(apikey+timestamp)
/get-table Get ALL the secrets stored in a table GET HMAC-SHA512(apikey+timestamp)
/list-tables List all available tables GET HMAC-SHA512(apikey+timestamp)
/create-table Create a new table POST HMAC-SHA512(apikey+timestamp)
/put-secret Store or update a secret (key-value pairs) PUT HMAC-SHA512(apikey+secret+timestamp)
/delete-secret Delete a specific secret DELETE HMAC-SHA512(apikey+secret+timestamp)
/delete-table Deletes an existing table DELETE HMAC-SHA512(apikey+secret+timestamp)
/rename-table Renames an existing table PATCH HMAC-SHA512(apikey+secret+timestamp)

Clients

Clients are available in multiple languages to interact with the API server.

Python: VaultAPI-Client-python

Rust: VaultAPI-Client-rust

Checkout decryptors for on-demand scripts to decrypt the secrets retrieved from the API.

Coding Standards

Docstring format: Google
Styling conventions: PEP 8 and isort

Release Notes

Requirement

python -m pip install gitverse

Usage

gitverse-release reverse -f release_notes.rst -t 'Release Notes'

Linting

pre-commit will ensure linting, run pytest, generate runbook & release notes, and validate hyperlinks in ALL markdown files (including Wiki pages)

Requirement

python -m pip install sphinx==5.1.1 pre-commit recommonmark

Usage

pre-commit run --all-files

Pypi Package

pypi-module

https://pypi.org/project/VaultAPI/

Docker Image

made-with-docker-doc

https://hub.docker.com/r/thevickypedia/vaultapi

Runbook

made-with-sphinx-doc

https://thevickypedia.github.io/VaultAPI/

License & copyright

© Vignesh Rao

Licensed under the MIT License

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vaultapi-0.6.1-py3-none-any.whl (59.7 kB view details)

Uploaded Python 3

File details

Details for the file vaultapi-0.6.1-py3-none-any.whl.

File metadata

  • Download URL: vaultapi-0.6.1-py3-none-any.whl
  • Upload date:
  • Size: 59.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.0rc1

File hashes

Hashes for vaultapi-0.6.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b937cf370deacdedef8ae25257197c3d693f060b32ec33b9702b013ba50d4b40
MD5 3ce61ba7f490919d948889d9005d57a4
BLAKE2b-256 1285f6ed9b27d935cf0efff8d1818be44269b198d9d16a3f5736b71ac6995ab9

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page