Python bindings for dotenvage - encrypt secrets in .env files using age encryption

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for jgeluk from gravatar.com jgeluk

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

dotenvage

Python bindings for dotenvage — encrypt secrets in .env files using age encryption (X25519).

Installation

pip install dotenvage
# or with uv
uv add dotenvage

Quick start

import dotenvage

# Generate a new identity (key pair)
manager = dotenvage.SecretManager.generate()
print(f"Public key: {manager.public_key_string()}")

# Encrypt a secret
encrypted = manager.encrypt_value("my-secret-password")
print(f"Encrypted: {encrypted}")
# Output: ENC[AGE:b64:...]

# Decrypt it back
decrypted = manager.decrypt_value(encrypted)
print(f"Decrypted: {decrypted}")
# Output: my-secret-password

# Check if a value is encrypted
print(dotenvage.SecretManager.is_encrypted(encrypted))  # True
print(dotenvage.SecretManager.is_encrypted("plain"))    # False

Loading .env files

import dotenvage

# Load .env files (decrypts encrypted values automatically)
loader = dotenvage.EnvLoader()
loaded_files = loader.load()
print(f"Loaded: {loaded_files}")

# Or get all variables as a dict
variables = loader.get_all_variables()
print(variables)

Auto-detection

dotenvage can detect which keys should be encrypted based on naming patterns:

import dotenvage

# Keys containing PASSWORD, SECRET, KEY, TOKEN, etc. are detected
dotenvage.should_encrypt("API_KEY")         # True
dotenvage.should_encrypt("DATABASE_URL")    # False
dotenvage.should_encrypt("SECRET_TOKEN")    # True

Key discovery

The SecretManager automatically discovers keys in this order:

  1. Auto-discover AGE_KEY_NAME from .env or .env.local files
  2. DOTENVAGE_AGE_KEY environment variable (full identity string)
  3. AGE_KEY environment variable
  4. EKG_AGE_KEY environment variable
  5. Key file from AGE_KEY_NAME~/.local/state/{namespace}/{keyname}.key
  6. Default: ~/.local/state/dotenvage/dotenvage.key

AGE_KEY_NAME format is {namespace}/{keyname}, e.g., myapp/production~/.local/state/myapp/production.key

API reference

SecretManager

Manager for encrypting and decrypting secrets using age encryption.

class SecretManager:
    def __init__(self) -> None:
        """Create from discovered key file."""

    @staticmethod
    def generate() -> SecretManager:
        """Generate a new random identity (key pair)."""

    @staticmethod
    def from_identity_string(identity: str) -> SecretManager:
        """Create from an age identity string (AGE-SECRET-KEY-...)."""

    @staticmethod
    def is_encrypted(value: str) -> bool:
        """Check if a value is in encrypted format."""

    def public_key_string(self) -> str:
        """Get public key as age1... string."""

    def encrypt_value(self, plaintext: str) -> str:
        """Encrypt to ENC[AGE:b64:...] format."""

    def decrypt_value(self, value: str) -> str:
        """Decrypt if encrypted, otherwise return unchanged."""

EnvLoader

Loader for .env files with automatic decryption.

class EnvLoader:
    def __init__(self) -> None:
        """Create with default SecretManager."""

    @staticmethod
    def with_manager(manager: SecretManager) -> EnvLoader:
        """Create with a specific SecretManager."""

    def load(self) -> list[str]:
        """Load .env files from current directory. Returns loaded paths."""

    def load_from_dir(self, dir: str) -> list[str]:
        """Load .env files from specific directory."""

    def get_all_variable_names(self) -> list[str]:
        """Get all variable names from .env files."""

    def get_all_variable_names_from_dir(self, dir: str) -> list[str]:
        """Get all variable names from .env files in directory."""

    def get_all_variables(self) -> dict[str, str]:
        """Load and return all variables as dict (decrypted)."""

    def get_all_variables_from_dir(self, dir: str) -> dict[str, str]:
        """Load and return all variables from directory (decrypted)."""

    def resolve_env_paths(self, dir: str) -> list[str]:
        """Get ordered list of .env file paths that would be loaded."""

Functions

def should_encrypt(key: str) -> bool:
    """Check if key name should be encrypted based on patterns."""

License

CC-BY-SA-4.0

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for jgeluk from gravatar.com jgeluk

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

0.7.1

0.7.0

0.6.3

0.6.2

0.6.1

0.6.0

0.5.1

0.5.0

0.4.1

0.4.0

0.3.5

0.3.4

0.3.3

0.3.2

This version

0.3.1

0.3.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

dotenvage-0.3.1-cp310-abi3-win_amd64.whl (517.3 kB view details)

Uploaded CPython 3.10+Windows x86-64

dotenvage-0.3.1-cp310-abi3-manylinux_2_34_x86_64.whl (711.8 kB view details)

Uploaded CPython 3.10+manylinux: glibc 2.34+ x86-64

dotenvage-0.3.1-cp310-abi3-manylinux_2_34_aarch64.whl (684.6 kB view details)

Uploaded CPython 3.10+manylinux: glibc 2.34+ ARM64

dotenvage-0.3.1-cp310-abi3-macosx_11_0_arm64.whl (631.5 kB view details)

Uploaded CPython 3.10+macOS 11.0+ ARM64

dotenvage-0.3.1-cp310-abi3-macosx_10_12_x86_64.whl (651.6 kB view details)

Uploaded CPython 3.10+macOS 10.12+ x86-64

File details

Details for the file dotenvage-0.3.1-cp310-abi3-win_amd64.whl.

File metadata

  • Download URL: dotenvage-0.3.1-cp310-abi3-win_amd64.whl
  • Upload date:
  • Size: 517.3 kB
  • Tags: CPython 3.10+, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dotenvage-0.3.1-cp310-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 676ff89bdd824a71cbf3f919d95e7dc99423c82b449204439481890ab98a1ef4
MD5 1c7fcff88c583cd133d9f8cc5f572428
BLAKE2b-256 0506c3b70aa0b1993bbb4febf84307cafb7842904f77c1375724e77a870c5c26

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.1-cp310-abi3-win_amd64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.1-cp310-abi3-manylinux_2_34_x86_64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.1-cp310-abi3-manylinux_2_34_x86_64.whl
Algorithm Hash digest
SHA256 fd9e4eaa6c8fe991af43905f643962715e55d279e4e2ac3c858c3a018ddbe455
MD5 269bef146160e6f3b513cdbacfdd37c0
BLAKE2b-256 9e5ddd7ec5be9ae9c6becd19437e936cc2d61f6620a833b7c28bf1413005dfbf

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.1-cp310-abi3-manylinux_2_34_x86_64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.1-cp310-abi3-manylinux_2_34_aarch64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.1-cp310-abi3-manylinux_2_34_aarch64.whl
Algorithm Hash digest
SHA256 d77ab9b175f68a0c46fce489ea492296a018443f6b902125d543d580060e6858
MD5 492fb31d825100dbb119bc72c52c4551
BLAKE2b-256 74441e99691e201e56b63b70f6749dd53f487edae591f7fc0abb86cc462abc1b

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.1-cp310-abi3-manylinux_2_34_aarch64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.1-cp310-abi3-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.1-cp310-abi3-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 8b02e693afabb1f78fcc0b6ab62a3b0edfcd28588a68708f47554ec957c78f31
MD5 5918288dbd9616fba2aa8e8e5dba90b1
BLAKE2b-256 65b4e752d82601a7f431b6c9663e48b3817ba6a7a8031bd1d3738633efbf2470

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.1-cp310-abi3-macosx_11_0_arm64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.1-cp310-abi3-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.1-cp310-abi3-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 3f852535ce4109322056374f86e0748fa40e776945ab2417509c1039fead9823
MD5 b91923ac452d4d4735d97d3ae4eeeb63
BLAKE2b-256 3ebe9fa1ca8be95cdcf1db470a819bcea30983022f7265659e153c63038c0c95

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.1-cp310-abi3-macosx_10_12_x86_64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page