Skip to main content

Secure secret management using encrypted GitHub Gists

Project description

GistSafe

Encrypted secret management for developers. Store environment variables securely in private GitHub Gists.

Features

  • Strong encryption via PBKDF2HMAC-SHA256 + Fernet
  • Private GitHub Gists as storage — no infrastructure to manage
  • Per-project, per-environment secret organization
  • Inject secrets as environment variables into any command
  • Optional key obfuscation (encrypts variable names too)
  • Password hints for recovery
  • Local caching for fast lookups

Installation

pip install gistsafe

Or with pipx (recommended for CLI tools):

pipx install gistsafe

From source:

git clone https://github.com/moringaman/gistsafe.git
cd gistsafe
pip install .

Setup

Create a .env file in your project directory, or set the environment variable:

export GITHUB_TOKEN=ghp_yourtokenhere

You need a GitHub personal access token with the gist scope.

Requirements: Python 3.10+

Quick Start

# Create secrets for a project
gistsafe create --project myapp --environment dev
# → prompts for key/value pairs and an encryption password

# View secrets
gistsafe get --project myapp --environment dev

# Run a command with secrets injected as env vars
gistsafe inject --project myapp --environment dev -- npm start

# List all projects
gistsafe list

Usage

Creating Secrets

gistsafe create --project myapp --environment dev

Options:

  • --password-hint "Office wifi password" — hint shown before password prompt
  • --obfuscate-keys — encrypts key names as well as values

With obfuscation enabled, DATABASE_URL in storage becomes gAAAAABk7X.... Original names are restored on retrieval.

Updating Secrets

gistsafe update --project myapp --environment dev

Shows current secrets first, then prompts for new values. Unchanged secrets are preserved.

Retrieving Secrets

gistsafe get --project myapp --environment dev

If a password hint was set, it displays before the password prompt.

Injecting Secrets into Commands

gistsafe inject --project myapp --environment prod -- npm start
gistsafe inject --project myapp -- npm test
gistsafe inject --project myapp -- printenv API_KEY

The inject command decrypts secrets, uppercases the keys, sets them as environment variables, and runs your command. If --environment is omitted, it uses NODE_ENV (defaulting to development).

Listing Projects

gistsafe list

Shows all projects, their environments, and gist URLs in a table.

Architecture

┌──────────┐     ┌──────────────┐     ┌─────────────┐
│  CLI     │────▶│  GistSafe    │────▶│  GitHub API │
│ (Click)  │     │  (manager)   │     │  (PyGithub) │
└──────────┘     └──────┬───────┘     └─────────────┘
                        │
              ┌─────────┼─────────┐
              ▼         ▼         ▼
        ┌─────────┐ ┌───────┐ ┌─────────┐
        │ crypto  │ │ cache │ │ display │
        │(Fernet) │ │ (JSON)│ │ (Rich)  │
        └─────────┘ └───────┘ └─────────┘

Secrets are encrypted client-side with your password before touching the network. GitHub never sees plaintext.

Caching

GistSafe maintains a local index at ~/.gistsafe/cache.json to avoid hammering the GitHub API. The cache:

  • Stores project names, environments, and gist IDs (never secrets)
  • Auto-refreshes in the background when stale (>1 hour)
  • Updates immediately on create/update operations
  • Falls back to direct API search on cache miss

Security

What's Protected

  • All secrets are encrypted with PBKDF2HMAC-SHA256 (100,000 iterations) + Fernet before storage
  • Encryption password never leaves your machine
  • Gists are created as private by default
  • Optional key obfuscation hides variable names in storage

Limitations

GistSafe is designed for development and personal projects. It is not suitable for:

  • Production environments
  • Regulated industries (finance, healthcare)
  • Applications requiring SOC2, HIPAA, or PCI compliance

For production use, consider HashiCorp Vault, AWS Secrets Manager, Doppler, or Infisical.

Best Practices

  • Use strong, unique passwords per project
  • Rotate GitHub tokens regularly
  • Enable 2FA on your GitHub account
  • Use key obfuscation for sensitive projects
  • Never include the actual password in hints

Development

git clone https://github.com/moringaman/gistsafe.git
cd gistsafe
python -m venv .venv
source .venv/bin/activate
pip install -e .

Run tests:

# Test crypto roundtrip
python -c "from gistsafe.crypto import encrypt_value, decrypt_value; import os; s=os.urandom(16); v,s2=encrypt_value('test','pw',s); assert decrypt_value(v,'pw',s2)=='test'; print('OK')"

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gistsafe-0.1.0.tar.gz (14.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

gistsafe-0.1.0-py3-none-any.whl (15.0 kB view details)

Uploaded Python 3

File details

Details for the file gistsafe-0.1.0.tar.gz.

File metadata

  • Download URL: gistsafe-0.1.0.tar.gz
  • Upload date:
  • Size: 14.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for gistsafe-0.1.0.tar.gz
Algorithm Hash digest
SHA256 8dfdbe4716b473619010b6ac4ae5675a162ee39d09c6d1ad0d826da06dd90d3e
MD5 1b95e19ea6e067ac3fa1dc7ed66d6ee6
BLAKE2b-256 2cd0e10eeb9bbcde8e53f02fb56e20faaa8f3640e0ee968fe7d8d88c7ca45e74

See more details on using hashes here.

File details

Details for the file gistsafe-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: gistsafe-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 15.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for gistsafe-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1047d11c59b7b4b76b50512afc84e4040bcddee0e5f5568c1b9e340f49bc6eed
MD5 ca24270e066e1ccd593cb6200dafb8a7
BLAKE2b-256 5cd0d71c4618206b6a8fc032489d4c0f837185e8b267ad5a94dfee3bfa5eeeea

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page