Skip to main content

Store credentials securely as ciphertext and decrypt on the fly with AWS KMS

Project description

credkeep

credkeep is a python package that helps ease the pain of storing sensitive credentials. Credentials that are securely encrypted using AWS’s Key Management Service (KMS) can be stored in version control systems where they cannot be decrypted without access to a users encryption key on KMS.

Installation

pip install credkeep

Usage

credkeep requires you to configure your own KMS master key. This key is used to encrypt/decrypt your data and is securely stored by AWS. Your KMS master keys can be viewed at https://console.aws.amazon.com/iam/home#encryptionKeys. For information about creating new master keys, see http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html.

Plaintext api secrets should not be stored in plain text. For example developer_secrets.json

{
    "SECRET_API_KEY": "thisismysecretkey",
    "ANOTHER_API_KEY": "anotherkey"
}

By calling credkeep.encrypt_file

{
  "SECRET_API_KEY": "CiAr4gKwrApZNibuqh1YKjlIGMj4A4GSHArF+0lCqBnqOxKfAQEBAgB4K+ICsKwKWTYm7qodWCo5SBjI+AOBkhwKxftJQqgZ6jsAAAB2MHQGCSqGSIb3DQEHBqBnMGUCAQAwYAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzGyPmdgqEbxzvnjKICARCAMzOd+DIaI/rUbc8dYQTxGS8aQQNjgXPt6Or0rxo7fFn0rA5/Kf6zpnui0q9XXtUatL4D3Q==",
  "ANOTHER_API_KEY": "CiAr4gKwrApZNibuqh1YKjlIGMj4A4GSHArF+0lCqBnqOxKXAQEBAgB4K+ICsKwKWTYm7qodWCo5SBjI+AOBkhwKxftJQqgZ6jsAAABuMGwGCSqGSIb3DQEHBqBfMF0CAQAwWAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAxgB3p/zbVarLd/5a4CARCAK4w48/dCK7EvwTDELb11bpBe8TpaIhcCalfOqACQzoLoqgciAY8DuczOvRs="
}

This encrypted json file is safe to distribute via version control as it requires access to the master key on KMS. When the secrets in the file are required the file can be decrypted using credkeep.decrypt_file. This function can optionally set local environment variables with the decrypted secrets. These environment variables will not persist between shells or reboots.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

credkeep-0.2.1.zip (11.1 kB view details)

Uploaded Source

File details

Details for the file credkeep-0.2.1.zip.

File metadata

  • Download URL: credkeep-0.2.1.zip
  • Upload date:
  • Size: 11.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for credkeep-0.2.1.zip
Algorithm Hash digest
SHA256 f1f4997a351d0bb304f9be13b61a94eab9df2e420631ce08e3913e7c71069c07
MD5 4f49a266c04e8917d9c18565a440fb11
BLAKE2b-256 705318898ce7a9ab4efbe0a1addd80ba4e30d075ccdf67e4b15bf8d4041e6358

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page