Skip to main content

A secret environment management

Project description


Treat your secrets like password


We live in a devops world, the devops world is awesome, so many neat tools and deployment management, API, ...

Many vendors will treat the security as "next vendor's problem".

As a user, we end-up with many dotfiles containing critical API keys in plain-text, or we just export BASH_VARS=SeCrEt, and the secret end-up in .bash_history.

On another side, we start to implement saner password management policies, thanks to tools such as password-store, keepass, 1password, lastpass, and so many more.

Let's try to fix it.

Denver is super simple and tool-agnostic script which let you export the environment variables AWS and Vault love so much, from your password manager (granted it offers you a way to write it to stdout). And set an alias (fdenver) to forget about it when you're done (or just close the terminal, I'm not your boss)


It's currently a WIP (work in progress), but due to being a pretty dumb wrapper around more mature tools, you can start to use it safely with actual secrets.

It could work, with some effort, in windows, but it's out of scope for now.

The demo.cfg file can be copied to $HOME/.denver.cfg.

pip install denver

Please do use a virtual environment.


on the password manager side

Store a secret in the form of:


If you use keepass, use the Notes field.

on denver side

Adapt the command to your use-case, examples are provided for keepassxc and gopass

It should work without any problem in any shell providing subshell support (ie. bash and zsh)

If your environment already has a variable with the same name in its scope, denver won't overwrite it, nor set it to be unset.

# source it from a subshell
source <( -n NAME)

# display the commands -n NAME
[ keep the space as 1st char if you copy/paste those commands so they're not
appended to your .history file ]

# look at the variables being correctly set up:

# forget about these

XXXX marks the spot

You can see 'XXXX' in command parameters, they're magic-value, and will be replaced with the name (-n key, or --name key) parameter at runtime.

more help

Haven't you tried this already ? --help

a note about stdin password prompts

You can't (easily) reach the subshell's stdin, it means you should use an external prompt program if the password tool give an interactive prompt, use a graphical tool in order to pipe your password there (cf. keepassxc command)


  • there's no context awareness, if you run it twice with different variables bundles, the fdenver alias won't be properly created, and will fail to unset every variables (should you be in that situation : just exit the damn shell)

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

denver-0.0.2.tar.gz (3.6 kB view hashes)

Uploaded source

Built Distribution

denver-0.0.2-py3-none-any.whl (4.9 kB view hashes)

Uploaded py3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page