Skip to main content

Store credentials securely as ciphertext and decrypt on the fly with AWS KMS

Project description


credkeep is a python package that helps ease the pain of storing sensitive credentials. Credentials that are securely encrypted using AWS’s Key Management Service (KMS) can be stored in version control systems where they cannot be decrypted without access to a users encryption key on KMS.


pip install credkeep


credkeep requires you to configure your own KMS master key. This key is used to encrypt/decrypt your data and is securely stored by AWS. Your KMS master keys can be viewed at For information about creating new master keys, see

Plaintext api secrets should not be stored in plain text. For example developer_secrets.json

    "SECRET_API_KEY": "thisismysecretkey",
    "ANOTHER_API_KEY": "anotherkey"

By calling credkeep.encrypt_file


This encrypted json file is safe to distribute via version control as it requires access to the master key on KMS. When the secrets in the file are required the file can be decrypted using credkeep.decrypt_file. This function can optionally set local environment variables with the decrypted secrets. These environment variables will not persist between shells or reboots.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for credkeep, version 0.2.1
Filename, size File type Python version Upload date Hashes
Filename, size (11.1 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page