Python bindings for dotenvage - encrypt secrets in .env files using age encryption

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for jgeluk from gravatar.com jgeluk

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

dotenvage

Python bindings for dotenvage — encrypt secrets in .env files using age encryption (X25519).

Installation

pip install dotenvage
# or with uv
uv add dotenvage

Quick start

import dotenvage

# Generate a new identity (key pair)
manager = dotenvage.SecretManager.generate()
print(f"Public key: {manager.public_key_string()}")

# Encrypt a secret
encrypted = manager.encrypt_value("my-secret-password")
print(f"Encrypted: {encrypted}")
# Output: ENC[AGE:b64:...]

# Decrypt it back
decrypted = manager.decrypt_value(encrypted)
print(f"Decrypted: {decrypted}")
# Output: my-secret-password

# Check if a value is encrypted
print(dotenvage.SecretManager.is_encrypted(encrypted))  # True
print(dotenvage.SecretManager.is_encrypted("plain"))    # False

Loading .env files

import dotenvage

# Load .env files (decrypts encrypted values automatically)
loader = dotenvage.EnvLoader()
loaded_files = loader.load()
print(f"Loaded: {loaded_files}")

# Or get all variables as a dict
variables = loader.get_all_variables()
print(variables)

Auto-detection

dotenvage can detect which keys should be encrypted based on naming patterns:

import dotenvage

# Keys containing PASSWORD, SECRET, KEY, TOKEN, etc. are detected
dotenvage.should_encrypt("API_KEY")         # True
dotenvage.should_encrypt("DATABASE_URL")    # False
dotenvage.should_encrypt("SECRET_TOKEN")    # True

Key discovery

The SecretManager automatically discovers keys in this order:

  1. Auto-discover AGE_KEY_NAME from .env or .env.local files
  2. DOTENVAGE_AGE_KEY environment variable (full identity string)
  3. AGE_KEY environment variable
  4. EKG_AGE_KEY environment variable
  5. Key file from AGE_KEY_NAME~/.local/state/{namespace}/{keyname}.key
  6. Default: ~/.local/state/dotenvage/dotenvage.key

AGE_KEY_NAME format is {namespace}/{keyname}, e.g., myapp/production~/.local/state/myapp/production.key

API reference

SecretManager

Manager for encrypting and decrypting secrets using age encryption.

class SecretManager:
    def __init__(self) -> None:
        """Create from discovered key file."""

    @staticmethod
    def generate() -> SecretManager:
        """Generate a new random identity (key pair)."""

    @staticmethod
    def from_identity_string(identity: str) -> SecretManager:
        """Create from an age identity string (AGE-SECRET-KEY-...)."""

    @staticmethod
    def is_encrypted(value: str) -> bool:
        """Check if a value is in encrypted format."""

    def public_key_string(self) -> str:
        """Get public key as age1... string."""

    def encrypt_value(self, plaintext: str) -> str:
        """Encrypt to ENC[AGE:b64:...] format."""

    def decrypt_value(self, value: str) -> str:
        """Decrypt if encrypted, otherwise return unchanged."""

EnvLoader

Loader for .env files with automatic decryption.

class EnvLoader:
    def __init__(self) -> None:
        """Create with default SecretManager."""

    @staticmethod
    def with_manager(manager: SecretManager) -> EnvLoader:
        """Create with a specific SecretManager."""

    def load(self) -> list[str]:
        """Load .env files from current directory. Returns loaded paths."""

    def load_from_dir(self, dir: str) -> list[str]:
        """Load .env files from specific directory."""

    def get_all_variable_names(self) -> list[str]:
        """Get all variable names from .env files."""

    def get_all_variable_names_from_dir(self, dir: str) -> list[str]:
        """Get all variable names from .env files in directory."""

    def get_all_variables(self) -> dict[str, str]:
        """Load and return all variables as dict (decrypted)."""

    def get_all_variables_from_dir(self, dir: str) -> dict[str, str]:
        """Load and return all variables from directory (decrypted)."""

    def resolve_env_paths(self, dir: str) -> list[str]:
        """Get ordered list of .env file paths that would be loaded."""

Functions

def should_encrypt(key: str) -> bool:
    """Check if key name should be encrypted based on patterns."""

License

CC-BY-SA-4.0

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for jgeluk from gravatar.com jgeluk

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

0.7.1

0.7.0

0.6.3

0.6.2

0.6.1

0.6.0

0.5.1

0.5.0

0.4.1

0.4.0

0.3.5

0.3.4

0.3.3

0.3.2

0.3.1

This version

0.3.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

dotenvage-0.3.0-cp312-cp312-win_amd64.whl (514.9 kB view details)

Uploaded CPython 3.12Windows x86-64

dotenvage-0.3.0-cp312-cp312-manylinux_2_34_x86_64.whl (705.5 kB view details)

Uploaded CPython 3.12manylinux: glibc 2.34+ x86-64

dotenvage-0.3.0-cp312-cp312-manylinux_2_34_aarch64.whl (679.5 kB view details)

Uploaded CPython 3.12manylinux: glibc 2.34+ ARM64

dotenvage-0.3.0-cp312-cp312-macosx_11_0_arm64.whl (628.1 kB view details)

Uploaded CPython 3.12macOS 11.0+ ARM64

dotenvage-0.3.0-cp312-cp312-macosx_10_12_x86_64.whl (648.5 kB view details)

Uploaded CPython 3.12macOS 10.12+ x86-64

File details

Details for the file dotenvage-0.3.0-cp312-cp312-win_amd64.whl.

File metadata

  • Download URL: dotenvage-0.3.0-cp312-cp312-win_amd64.whl
  • Upload date:
  • Size: 514.9 kB
  • Tags: CPython 3.12, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dotenvage-0.3.0-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 941970cd24199aafd9b377747a778b875c08ee592a00f78b01b746f5b29ddde8
MD5 5ebc32cd51de91634f7e0c376b3abc30
BLAKE2b-256 cadcc4a189e7de7d5657269e964cb24135e726642fce77c0a25146cdd3df5084

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.0-cp312-cp312-win_amd64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.0-cp312-cp312-manylinux_2_34_x86_64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.0-cp312-cp312-manylinux_2_34_x86_64.whl
Algorithm Hash digest
SHA256 be6266c4aa071b633e81557dfac90100e5b4a5d92a6ef23de507df6420332e8c
MD5 1bc911b89567279cbb69c168ae9876ab
BLAKE2b-256 c6fd59263e03d16af346f200bff029e6809f6f4f4350e6b7710b1db7d859409d

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.0-cp312-cp312-manylinux_2_34_x86_64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.0-cp312-cp312-manylinux_2_34_aarch64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.0-cp312-cp312-manylinux_2_34_aarch64.whl
Algorithm Hash digest
SHA256 580f325156a5c0eb552e86ee55be822a4babbde53b3dbb7adbeaccb51d93109e
MD5 f55080e2ab487e3bbe7ba301064744f9
BLAKE2b-256 544e0c2c30355f7494b8ebfe4420654c5a7da8c8e97f8b846bf8b48ca7e93c4a

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.0-cp312-cp312-manylinux_2_34_aarch64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.0-cp312-cp312-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.0-cp312-cp312-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 7669702a686388049eb484bd278ab0fd50f98d3bfa63a3f4a1739a090d8df736
MD5 21f3dcb7d6554ce632fcf552f62e58bc
BLAKE2b-256 f9dda6e5af92788f9ae6d4969e80fd2174e924db8cb0a089d12049e0969e72bd

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.0-cp312-cp312-macosx_11_0_arm64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.0-cp312-cp312-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.0-cp312-cp312-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 3815a3b5d5a1176667d92acaa608d35b6fa19e879cc94ac40c0e7607556a3836
MD5 37d5e9d9e9b63b01bd8ae4d3cb3a3404
BLAKE2b-256 5643410f9349999a3e7df7637c8a65b4fadac3d020e6e023e331b60029705f31

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.0-cp312-cp312-macosx_10_12_x86_64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page