Python bindings for dotenvage - encrypt secrets in .env files using age encryption

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for jgeluk from gravatar.com jgeluk

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

dotenvage

Python bindings for dotenvage — encrypt secrets in .env files using age encryption (X25519).

Installation

pip install dotenvage
# or with uv
uv add dotenvage

Quick start

import dotenvage

# Generate a new identity (key pair)
manager = dotenvage.SecretManager.generate()
print(f"Public key: {manager.public_key_string()}")

# Encrypt a secret
encrypted = manager.encrypt_value("my-secret-password")
print(f"Encrypted: {encrypted}")
# Output: ENC[AGE:b64:...]

# Decrypt it back
decrypted = manager.decrypt_value(encrypted)
print(f"Decrypted: {decrypted}")
# Output: my-secret-password

# Check if a value is encrypted
print(dotenvage.SecretManager.is_encrypted(encrypted))  # True
print(dotenvage.SecretManager.is_encrypted("plain"))    # False

Loading .env files

import dotenvage

# Load .env files (decrypts encrypted values automatically)
loader = dotenvage.EnvLoader()
loaded_files = loader.load()
print(f"Loaded: {loaded_files}")

# Or get all variables as a dict
variables = loader.get_all_variables()
print(variables)

Auto-detection

dotenvage can detect which keys should be encrypted based on naming patterns:

import dotenvage

# Keys containing PASSWORD, SECRET, KEY, TOKEN, etc. are detected
dotenvage.should_encrypt("API_KEY")         # True
dotenvage.should_encrypt("DATABASE_URL")    # False
dotenvage.should_encrypt("SECRET_TOKEN")    # True

Key discovery

The SecretManager automatically discovers keys in this order:

  1. Auto-discover AGE_KEY_NAME from .env or .env.local files
  2. DOTENVAGE_AGE_KEY environment variable (full identity string)
  3. AGE_KEY environment variable
  4. EKG_AGE_KEY environment variable
  5. Key file from AGE_KEY_NAME~/.local/state/{namespace}/{keyname}.key
  6. Default: ~/.local/state/dotenvage/dotenvage.key

AGE_KEY_NAME format is {namespace}/{keyname}, e.g., myapp/production~/.local/state/myapp/production.key

API reference

SecretManager

Manager for encrypting and decrypting secrets using age encryption.

class SecretManager:
    def __init__(self) -> None:
        """Create from discovered key file."""

    @staticmethod
    def generate() -> SecretManager:
        """Generate a new random identity (key pair)."""

    @staticmethod
    def from_identity_string(identity: str) -> SecretManager:
        """Create from an age identity string (AGE-SECRET-KEY-...)."""

    @staticmethod
    def is_encrypted(value: str) -> bool:
        """Check if a value is in encrypted format."""

    def public_key_string(self) -> str:
        """Get public key as age1... string."""

    def encrypt_value(self, plaintext: str) -> str:
        """Encrypt to ENC[AGE:b64:...] format."""

    def decrypt_value(self, value: str) -> str:
        """Decrypt if encrypted, otherwise return unchanged."""

EnvLoader

Loader for .env files with automatic decryption.

class EnvLoader:
    def __init__(self) -> None:
        """Create with default SecretManager."""

    @staticmethod
    def with_manager(manager: SecretManager) -> EnvLoader:
        """Create with a specific SecretManager."""

    def load(self) -> list[str]:
        """Load .env files from current directory. Returns loaded paths."""

    def load_from_dir(self, dir: str) -> list[str]:
        """Load .env files from specific directory."""

    def get_all_variable_names(self) -> list[str]:
        """Get all variable names from .env files."""

    def get_all_variable_names_from_dir(self, dir: str) -> list[str]:
        """Get all variable names from .env files in directory."""

    def get_all_variables(self) -> dict[str, str]:
        """Load and return all variables as dict (decrypted)."""

    def get_all_variables_from_dir(self, dir: str) -> dict[str, str]:
        """Load and return all variables from directory (decrypted)."""

    def resolve_env_paths(self, dir: str) -> list[str]:
        """Get ordered list of .env file paths that would be loaded."""

Functions

def should_encrypt(key: str) -> bool:
    """Check if key name should be encrypted based on patterns."""

License

CC-BY-SA-4.0

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for jgeluk from gravatar.com jgeluk

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

0.7.1

0.7.0

0.6.3

0.6.2

0.6.1

0.6.0

0.5.1

0.5.0

0.4.1

0.4.0

0.3.5

0.3.4

0.3.3

This version

0.3.2

0.3.1

0.3.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

dotenvage-0.3.2-cp310-abi3-win_amd64.whl (517.3 kB view details)

Uploaded CPython 3.10+Windows x86-64

dotenvage-0.3.2-cp310-abi3-manylinux_2_34_x86_64.whl (711.8 kB view details)

Uploaded CPython 3.10+manylinux: glibc 2.34+ x86-64

dotenvage-0.3.2-cp310-abi3-manylinux_2_34_aarch64.whl (684.6 kB view details)

Uploaded CPython 3.10+manylinux: glibc 2.34+ ARM64

dotenvage-0.3.2-cp310-abi3-macosx_11_0_arm64.whl (631.4 kB view details)

Uploaded CPython 3.10+macOS 11.0+ ARM64

dotenvage-0.3.2-cp310-abi3-macosx_10_12_x86_64.whl (651.7 kB view details)

Uploaded CPython 3.10+macOS 10.12+ x86-64

File details

Details for the file dotenvage-0.3.2-cp310-abi3-win_amd64.whl.

File metadata

  • Download URL: dotenvage-0.3.2-cp310-abi3-win_amd64.whl
  • Upload date:
  • Size: 517.3 kB
  • Tags: CPython 3.10+, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dotenvage-0.3.2-cp310-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 ec829fc502c07804536591cb4c4ecea185140ed70cd5a067c2661d04c5bff699
MD5 9b50269850ff97f11fe5851a4121b584
BLAKE2b-256 86da7fb9c27a0416fb5a7433e16b341e0b1a9a586384c237bb66c5cd275fe4ec

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.2-cp310-abi3-win_amd64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.2-cp310-abi3-manylinux_2_34_x86_64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.2-cp310-abi3-manylinux_2_34_x86_64.whl
Algorithm Hash digest
SHA256 6be4e2bf89d78f512bb29e0caf1da19107fd4c716563737dbcc41a9f0f7019d1
MD5 0d9a9367837eb2943105542dab30fc53
BLAKE2b-256 b8aea86416b40787d3a9d2b620255f10610ad5752d1b97d8bd7f0953e2711203

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.2-cp310-abi3-manylinux_2_34_x86_64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.2-cp310-abi3-manylinux_2_34_aarch64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.2-cp310-abi3-manylinux_2_34_aarch64.whl
Algorithm Hash digest
SHA256 7f414684e1a24cf48791bb34f1ace2b69059b328b871a8695c2f952af360d4c1
MD5 2f52bdf00b6b63e2979d424a77b6a0f3
BLAKE2b-256 de2d3d4b4c8962f5858de0da98a6c2f06f92a9ee7b4815f613b16d09a8442a86

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.2-cp310-abi3-manylinux_2_34_aarch64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.2-cp310-abi3-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.2-cp310-abi3-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 bd7a39765f59d623184d086be7708b592979a090cbf599b8c626e651c4be8dee
MD5 c1a891cd5ecacb69fa01dfbd3ba73c40
BLAKE2b-256 1bee2ca02aa21309222951f080453b265661e716e2142608f51de3c6398af937

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.2-cp310-abi3-macosx_11_0_arm64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.3.2-cp310-abi3-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for dotenvage-0.3.2-cp310-abi3-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 db0acbbd7deb8824f905f606982b36274532486bf794e3701f6f4ab4e85ad36b
MD5 9adea0b3edb2b740bb99c86ab56e1886
BLAKE2b-256 ddeaa150af6a6f7626f7f2b6735476dd560e886d230a1b95f8fa907b3599fdb5

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.3.2-cp310-abi3-macosx_10_12_x86_64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page