Skip to main content
Donate to the Python Software Foundation or Purchase a PyCharm License to Benefit the PSF! Donate Now

A GPG-based secret storing/sharing library

Project description

Harpo

Description

Harpocrates (Ancient Greek: Ἁρποκράτης) was the god of silence, secrets and confidentiality.

Harpo is GPG-based secret storage/sharing library.

It is aims to be a convenient wrapper around GPG and tries to solve following problems:

  • Store secrets in a repository (currently only git is supported) in a secure manner
  • Provide role-based access to the stored secrets
  • Provide an easy way to reencrypt secrets

It was inspired by blackbox by StackExchange.

Installation

Harpo is available at pypi.org and can be installed with pip:

pip install harpo

Quick start

Initialization

Suppose we have some git repository:

$ git rev-parse --is-inside-work-tree
true

Then we can initialize harpo right away with:

harpo initialize

This command will create necessary directory structure and bootstrap it with some default groups and domains:

[INFO] Initializing at /home/user/my_repo/.harpo
[INFO] Add domain: all
[INFO] Create group: all
[INFO] Create group: adm
[INFO] OK

Add users

Now it's time to add the first users. Harpo will look into your GPG public keyring and will try importing public keys from there.

harpo add user <Key ID> -g adm

Key ID can be any string, that identifies your key: email, surname, id, etc.

Let's say you have a key with email mr.robot@example.com:

harpo add user mr.robot -g adm
[INFO] Importing key A8.....0 - Mister Robot <mr.robot@example.com>
[INFO] Add user 'Mister Robot <mr.robot@example.com>' to group 'adm'
[INFO] Add user 'Mister Robot <mr.robot@example.com>' to group 'all'
[INFO] Reencrypting everything!

Note, that we also indicated, that we want this user to be added to the adm group. Also every user belongs to group all

Encrypt some stuff

harpo encrypt all/my_password hunter2

This will create a new GPG encrypted file at .harpo/domains/all/my_password.

Note:

You can also encrypt entire files with encrypt-file:

harpo encrypt-file all/bobs_password /home/alice/Downloads/bobs_password

Decryption

harpo decrypt all/my_password

It will print the secret's contents to the STDOUT:

$ harpo decrypt all/my_password
hunter2

Add domains

Let's create another domain for our development-related secrets and another for production.

harpo add domain dev
harpo add domain prod

This will create .harpo/domains/dev and .harpo/domains/prod.

Add groups

harpo add group developers

Granting access

Currently only group adm has access to both dev and prod domains. Lets change this by allowing group developers to read secrets in domain dev:

harpo allow -g developers dev

Now if you add users to developers group, they all will be able to decrypt secrets in dev domain:

harpo add user mr.developer -g developers

Reencrypting

Harpo automatically reencrypts secrets when it's appropriate. If you want to trigger reencryption manually, run:

harpo reencrypt

Terminology

Secret

Secret — is a GPG encrypted file, stored inside a domain.

Its recipients list always contains users from group adm and other recipients that are allowed to read secrets in its domain.

Domain

Domains provide a way to group secrets: all secrets inside a given domain have the same list of recipients. User can specify which groups/users can read secrets in a given domain.

There is one system domain created by default: all. Its purpose is to store secrets, that can be decrypted by any existing user.

Group adm can decrypt any secrets in any domain.

User

Basically it's just a GPG recipient. Harpo identifies users by looking into its GPG public keyring located at .harpo/keychain/pubkeyring.gpg

Group

Group — is a list of users. There are two special system groups: all and adm. They have following properties:

  • Every user belongs to all, hence can decrypt any secret in all special domain,
  • And adm can decrypt any secret in any domain

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
harpo-0.5.11-py2-none-any.whl (16.8 kB) Copy SHA256 hash SHA256 Wheel py2
harpo-0.5.11-py3-none-any.whl (20.5 kB) Copy SHA256 hash SHA256 Wheel py3

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page