Skip to main content

A tool for managing GPG encrypted secrets in a git repository.

Project description

Fidelius
--------

Fidelius is a tool for managing GPG encrypted secrets in a git repository.

The `gpg` command is used to perform all encryption and decryption. Fidelius
is a simple wrapper that makes working with multiple encrypted files easy, and
follows some simple rules that define which files are decrypted and where the
plaintext is written.

* Paths like `file.encrypted.ext.asc` are decrypted to `file.decrypted.ext`,
* Paths like `directory.encrypted/file.ext.asc` are decrypted to
`directory/file.ext`.

These rules ensure decrypted files have the correct extension for their
contents, are easy to exclude from version control with `.gitignore` rule
(`fidelius` will check they are excluded!) and that decrypted files are
placed where you want in your directory structure.

The last of these is partially useful when working with tools like [Helm] which
may crash if they encounter encrypted files in their directory structure, so it
can be useful to keep the encrypted files in a separate directory.

Usage
-----

You'll need Python 3.7, [Pip] and GPG installed.

You can then install `fidelius` via `pip`:

```bash
pip install fidelius
```

This will install `fidelius` executable. Run `fidelius --help` for full usage
information.

```bash
fidelius new -r 'fidelius@example.invalid' 'example.encrypted.txt.asc'
fidelius edit -r 'fidelius@example.invalid' 'example.encrypted.txt.asc'
fidelius view 'example.encrypted.txt.asc'
fidelius decrypt 'example.encrypted.txt.asc' && cat 'example.decrypted.txt'
```

You can also use Fidelius from another Python program. Only decryption is
currently provided via this API, intended for use in CI tasks:

```python
from fidelius.incantations import Fidelius
from fidelius.secrets import SecretKeeper
secret_keeper: SecretKeeper = Fidelius().cast()
secret_keeper.decrypt()
```

Rules
-----

All files with `.encrypted` anywhere in the name and a `.asc` or `.gpg` suffix
are decrypted into the same directory. The `.asc` or `.gpg` suffix is removed
and `.encrypted` is replaced with `.decrypted`.

```
one.encrypted.json.asc -> one.decrypted.json
```

All files with a `.asc` or `.gpg` suffix in a directory named `%.encrypted` are
decrypted into `%`, keeping the same relative path. Filenames have the `.asc` or
`.gpg` suffix removed, and `.encrypted` is replaced with `.decrypted`. Encrypted
files without `.encrypted` in their name have a `.decrypted` suffix added before
the last suffix in the filename.

```
directory.encrypted/two.json.gpg -> directory/two.decrypted.json
directory.encrypted/three.encrypted.json.gpg -> directory/three.decrypted.json
```

Using with `git diff`
---------------------

Add a `.gitattributes` file to your repository:

```
*.asc diff=fidelius
```

Add a custom git diff driver to `~/.gitconfig` in your home directory:

```
[diff "fidelius"]
textconv = "gpg --batch --quiet --decrypt"
```

The `git diff` command will now compare the plaintext of your secrets.

Alternatives
------------

Fidelius is built to fit my own use cases perfectly, but there are several other
far more mature projects for managing encrypted secrets in git repositories.

* [blackbox](https://github.com/StackExchange/blackbox)
* [git-crypt](https://github.com/AGWA/git-crypt)
* [git-secret](https://github.com/sobolevn/git-secret)
* [sops](https://github.com/mozilla/sops)
* [transcrypt](https://github.com/elasticdog/transcrypt)

License
-------

Licensed under the [MIT License].

Author
------

Written by [Sam Clements].

[Pip]: https://packaging.python.org/tutorials/installing-packages/
[Helm]: https://helm.sh/
[MIT License]: ./README.md
[Sam Clements]: https://github.com/borntyping

MIT License

Copyright (c) 2018 Sam Clements

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for fidelius, version 4.1.0
Filename, size File type Python version Upload date Hashes
Filename, size fidelius-4.1.0-py2.py3-none-any.whl (14.4 kB) File type Wheel Python version py2.py3 Upload date Hashes View hashes
Filename, size fidelius-4.1.0.tar.gz (11.2 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page