Scan, encrypt, and manage secrets in your project with key file or passphrase-based encryption.
Project description
Envveil
Envveil is a Python library and CLI tool for scanning, encrypting, and managing sensitive secrets (like API keys, tokens, and passwords) in your project. It helps you keep secrets out of your codebase, supports both key file and passphrase-based encryption, and provides audit logging and .gitignore management for maximum security.
Author
- Satarupa Deb
Features
- Scan for sensitive keys in
.env,settings.py, JSON, and other files - Encrypt secrets using either a key file or a user-supplied passphrase (no key file needed)
- Decrypt secrets easily for local use
- Rotate encryption keys or passphrases and re-encrypt secrets
- Retrofit protection for already-pushed repositories
- Audit logging for all secret access and key rotation events
- Automatic .gitignore management and warnings for unsafe key handling
- Language-specific .gitignore template fetcher
Installation
From PyPI
pip install envveil
Usage Summary Table
| Step | Command Example | What Happens |
|---|---|---|
| Scan | scan --env .env |
Finds secrets in file |
| Encrypt | encrypt --env .env --passphrase "your_passphrase" |
Encrypts secrets with passphrase, stores salt+data |
| Decrypt | decrypt --passphrase "your_passphrase" |
Decrypts and prints secrets |
| Rotate Key | rotate-key --old-passphrase "old" --new-passphrase "new" |
Changes passphrase, re-encrypts secrets |
| Audit Log | (automatic) | Logs all decrypt/rotate events |
| .gitignore | (automatic) | Ensures secret files are ignored by git |
Security Notes
- Passphrase mode: No key file is stored. The passphrase is never saved; if you forget it, secrets are unrecoverable.
- Key file mode: Always ensure
.envveil.keyis in your.gitignore. envveil will warn you if not. - Audit log: All decryption and key rotation events are logged in
envveil_audit.log. - .env.encrypted and key files are always added to
.gitignoreautomatically.
License
MIT License
Disclaimer
envveil is a developer tool for secret management and does not guarantee absolute security. Always follow best practices for secret storage and access control in production environments.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file envveil-0.3.0.tar.gz.
File metadata
- Download URL: envveil-0.3.0.tar.gz
- Upload date:
- Size: 11.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6ad62178f1b922426779db66f26039b2f1c3546f576cb55724bb16320cc59523
|
|
| MD5 |
9c67299e2dcc8f39d3729fc37b109fce
|
|
| BLAKE2b-256 |
ed2caca37d435525ba34077efa8e2afeb4198b4ccd5d57cc645dec9574817342
|
File details
Details for the file envveil-0.3.0-py3-none-any.whl.
File metadata
- Download URL: envveil-0.3.0-py3-none-any.whl
- Upload date:
- Size: 10.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b6158a8113ac512d7de5cc8a1537bfee65c4ab86ea061b12af3f32b61a6e3586
|
|
| MD5 |
4c6710a951b41b3a03f65ef792b3defe
|
|
| BLAKE2b-256 |
b3a97fcaec33b0c6e4afc79bd6245d83f0b38181f22ee489c2ded3e8a2f6814d
|
