Skip to main content
Join the official Python Developers Survey 2018 and win valuable prizes: Start the survey!

Code Crypt

Project description

[![CircleCI](https://circleci.com/gh/Nextdoor/code-crypt.svg)](https://circleci.com/gh/Nextdoor/code-crypt)

# Code Crypt

Code Crypt provides a simple Python library and command line interface to
manage your application secrets within a project repository. Master keys are
managed externally by the AWS Key Management Service (KMS), which perform
envelope encryption on a RSA private key used for decrypts on individual
secrets within a particular environment context. Encrypted secrets are kept
as binary files within the project folder using hybrid RSA-AES cryptopgraphy.

It supports Python 2.6 or newer and all Python 3 versions.

## Features

- Self-serve for project contributors
- Scalable for a large amount of secrets (1 KMS API call to decrypt all secrets)
- CRUD operations on a per-secret basis
- Environment contexts (development, staging, production)

## Initialize Project

We have a project `my_project` that we'd like to initialize with 3 different
environment contexts (`development`, `staging` and `production`) with their own
KMS master keys.

$ APP_ROOT=/Users/bob/my_project code-crypt --env development --init --kms-key-id aaaaaaaa-bbbb-cccc-dddd-123456111111
$ APP_ROOT=/Users/bob/my_project code-crypt --env staging --init --kms-key-id eeeeeeee-ffff-gggg-hhhh-123456222222
$ APP_ROOT=/Users/bob/my_project code-crypt --env production --init --kms-key-id iiiiiiii-jjjj-kkkk-llll-123456333333

This will initialize the project folder with a data directory of the following
structure:

$ pwd
/Users/bob/my_project
$ tree
.
└── code_crypt
└── data
├── keys
│   ├── development
│   │   ├── encrypted_private_key.pem
│   │   └── public_key.asc
│   ├── production
│   │   ├── encrypted_private_key.pem
│   │   └── public_key.asc
│   └── staging
│   ├── encrypted_private_key.pem
│   └── public_key.asc
└── secrets
├── development
├── production
└── staging

(Note: `--env` defaults to `development` and won't be explicitly used in this
guide going forward.)

## Encrypt Secrets

Single secrets can be encrypted with `--encrypt` option.

$ APP_ROOT=/Users/bob/my_project code-crypt --encrypt SOME_SECRET='a1b2c3'

In this case an encrypted binary file would be created at
`code_crypt/data/secrets/development/SOME_SECRET.bin`.

## Decrypt Secrets (CLI)

Single secrets can be decrypted with `--decrypt` option which returns a
plaintext value.

$ APP_ROOT=/Users/bob/my_project code-crypt --decrypt SOME_SECRET
a1b2c3

Multiple secrets can be decrypted with the `--decrypt-all` option which returns
a JSON string
of key-value pairs.

$ APP_ROOT=/Users/bob/my_project code-crypt --decrypt-all
{
"SOME_SECRET": "a1b2c3"
}

## Decrypt Secrets (Application)

Prerequisite: Grant your application run-time authentication to its environment's respective
KMS master key.

Create a Code Crypt object and run the `decrypt()` function.

from code_crypt import core as code_crypt

CC = code_crypt.CodeCrypt(app_root=MY_APP_ROOT, env=MY_ENV)
CC_SECRETS = CC.decrypt()

The resulting `CC_SECRETS` object is a dict of decrypted secret key-value pairs.


# Developer Setup

If you are interested in working on the codebase, setting up your development
environment is quick and easy.

$ virtualenv .venv
$ source .venv/bin/activate
$ pip install -r requirements.txt

Project details


Release history Release notifications

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
code_crypt-0.0.10-py2.7.egg (10.6 kB) Copy SHA256 hash SHA256 Egg 2.7 Oct 3, 2017

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page