Python bindings for dotenvage - encrypt secrets in .env files using age encryption

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for jgeluk from gravatar.com jgeluk

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

dotenvage

Python bindings for dotenvage — encrypt secrets in .env files using age encryption (X25519).

Installation

pip install dotenvage
# or with uv
uv add dotenvage

Quick start

import dotenvage

# Generate a new identity (key pair)
manager = dotenvage.SecretManager.generate()
print(f"Public key: {manager.public_key_string()}")

# Encrypt a secret
encrypted = manager.encrypt_value("my-secret-password")
print(f"Encrypted: {encrypted}")
# Output: ENC[AGE:b64:...]

# Decrypt it back
decrypted = manager.decrypt_value(encrypted)
print(f"Decrypted: {decrypted}")
# Output: my-secret-password

# Check if a value is encrypted
print(dotenvage.SecretManager.is_encrypted(encrypted))  # True
print(dotenvage.SecretManager.is_encrypted("plain"))    # False

Loading .env files

import dotenvage

# Load .env files (decrypts encrypted values automatically)
loader = dotenvage.EnvLoader()
loaded_files = loader.load()
print(f"Loaded: {loaded_files}")

# Or get all variables as a dict
variables = loader.get_all_variables()
print(variables)

Auto-detection

dotenvage can detect which keys should be encrypted based on naming patterns:

import dotenvage

# Keys containing PASSWORD, SECRET, KEY, TOKEN, etc. are detected
dotenvage.should_encrypt("API_KEY")         # True
dotenvage.should_encrypt("DATABASE_URL")    # False
dotenvage.should_encrypt("SECRET_TOKEN")    # True

Key discovery

The SecretManager automatically discovers keys in this order:

  1. Auto-discover AGE_KEY_NAME from .env or .env.local files
  2. DOTENVAGE_AGE_KEY environment variable (full identity string)
  3. AGE_KEY environment variable
  4. EKG_AGE_KEY environment variable
  5. OS keychain entry (service: dotenvage or DOTENVAGE_KEYCHAIN_SERVICE; account: AGE_KEY_NAME or {CARGO_PKG_NAME}/dotenvage)
  6. Key file from AGE_KEY_NAME~/.local/state/{namespace}/{keyname}.key
  7. Default: ~/.local/state/dotenvage/dotenvage.key

OS keychain lookup currently uses:

  • macOS: Keychain via security
  • Linux/Unix: Secret Service via secret-tool
  • Windows: lookup falls back to file/env sources (no keychain lookup yet); keygen --store os|both stores using cmdkey

AGE_KEY_NAME format is {namespace}/{keyname}, e.g., myapp/production~/.local/state/myapp/production.key

API reference

SecretManager

Manager for encrypting and decrypting secrets using age encryption.

class SecretManager:
    def __init__(self) -> None:
        """Create from discovered key file."""

    @staticmethod
    def generate() -> SecretManager:
        """Generate a new random identity (key pair)."""

    @staticmethod
    def from_identity_string(identity: str) -> SecretManager:
        """Create from an age identity string (AGE-SECRET-KEY-...)."""

    @staticmethod
    def is_encrypted(value: str) -> bool:
        """Check if a value is in encrypted format."""

    def public_key_string(self) -> str:
        """Get public key as age1... string."""

    def encrypt_value(self, plaintext: str) -> str:
        """Encrypt to ENC[AGE:b64:...] format."""

    def decrypt_value(self, value: str) -> str:
        """Decrypt if encrypted, otherwise return unchanged."""

EnvLoader

Loader for .env files with automatic decryption.

class EnvLoader:
    def __init__(self) -> None:
        """Create with default SecretManager."""

    @staticmethod
    def with_manager(manager: SecretManager) -> EnvLoader:
        """Create with a specific SecretManager."""

    def load(self) -> list[str]:
        """Load .env files from current directory. Returns loaded paths."""

    def load_from_dir(self, dir: str) -> list[str]:
        """Load .env files from specific directory."""

    def get_all_variable_names(self) -> list[str]:
        """Get all variable names from .env files."""

    def get_all_variable_names_from_dir(self, dir: str) -> list[str]:
        """Get all variable names from .env files in directory."""

    def get_all_variables(self) -> dict[str, str]:
        """Load and return all variables as dict (decrypted)."""

    def get_all_variables_from_dir(self, dir: str) -> dict[str, str]:
        """Load and return all variables from directory (decrypted)."""

    def resolve_env_paths(self, dir: str) -> list[str]:
        """Get ordered list of .env file paths that would be loaded."""

Functions

def should_encrypt(key: str) -> bool:
    """Check if key name should be encrypted based on patterns."""

License

CC-BY-SA-4.0

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for jgeluk from gravatar.com jgeluk

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

0.7.1

0.7.0

0.6.3

0.6.2

0.6.1

0.6.0

This version

0.5.1

0.5.0

0.4.1

0.4.0

0.3.5

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

dotenvage-0.5.1-cp310-abi3-win_amd64.whl (516.6 kB view details)

Uploaded CPython 3.10+Windows x86-64

dotenvage-0.5.1-cp310-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (635.6 kB view details)

Uploaded CPython 3.10+manylinux: glibc 2.17+ x86-64

dotenvage-0.5.1-cp310-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (596.8 kB view details)

Uploaded CPython 3.10+manylinux: glibc 2.17+ ARM64

dotenvage-0.5.1-cp310-abi3-macosx_11_0_arm64.whl (633.8 kB view details)

Uploaded CPython 3.10+macOS 11.0+ ARM64

dotenvage-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl (653.4 kB view details)

Uploaded CPython 3.10+macOS 10.12+ x86-64

File details

Details for the file dotenvage-0.5.1-cp310-abi3-win_amd64.whl.

File metadata

  • Download URL: dotenvage-0.5.1-cp310-abi3-win_amd64.whl
  • Upload date:
  • Size: 516.6 kB
  • Tags: CPython 3.10+, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for dotenvage-0.5.1-cp310-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 dd2c381fcd5d7950d7f1f4073783f32e52f3049c20d1cfb78c1be3b9f3c4bb67
MD5 dbd8ed148666ee7a6b2d610c74549467
BLAKE2b-256 2ccb2f790f0700ac249b9d5ed42d8999856964c2532fd19beb5a24ed2ef8f011

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.5.1-cp310-abi3-win_amd64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.5.1-cp310-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for dotenvage-0.5.1-cp310-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 a27c241f6598aae225f91dfff06fd702b864c6b3340bd1fcb4d78c1acfe5a1ff
MD5 e914a5abfbecc33d2b62c9739ff2a702
BLAKE2b-256 f5d104289abe805f74efb247bcaaf245bb13534bb65ef02e1263ee3c675617c9

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.5.1-cp310-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.5.1-cp310-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for dotenvage-0.5.1-cp310-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 2a995be1d0a38d21f3fa2b497d802147ef204e274ebfcc2f445c8c730b260d58
MD5 961ba8e38b78cf2c7caf93362df5ea33
BLAKE2b-256 aef04afe310f3289701ee1fa8d829723d9a0e5e39cbeb1e6be642982eaf2dba7

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.5.1-cp310-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.5.1-cp310-abi3-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for dotenvage-0.5.1-cp310-abi3-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 bb7c402723c67875c8063f4e1ac68b4a91f202ae566119f43deed0f1f775539a
MD5 ec2382cc10b38cc256a2cc1729092bf5
BLAKE2b-256 3bb1e96157085981b5c62c386d70aa02048fc92547d65414ceda8f146e24a9dc

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.5.1-cp310-abi3-macosx_11_0_arm64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenvage-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for dotenvage-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 955e4d7dc9f93d70244d160b7fcc1de57ed24aa26182b53db25506a97d95dd46
MD5 777556867fc6b0a27e070a55f8ea9a1d
BLAKE2b-256 41b1d1d8dbb8833dccfc3a740d2b33d91c81fbad3cda4b12c4a91627d8a1af57

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenvage-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl:

Publisher: ci.yml on dataroadinc/dotenvage

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page