A GPG-based secret storing/sharing library
Harpocrates (Ancient Greek: Ἁρποκράτης) was the god of silence, secrets and confidentiality.
Harpo is GPG-based secret storage/sharing library.
It is aims to be a convenient wrapper around GPG and tries to solve following problems:
- Store secrets in a repository (currently only git is supported) in a secure manner
- Provide role-based access to the stored secrets
- Provide an easy way to reencrypt secrets
It was inspired by blackbox by StackExchange.
Harpo is available at pypi.org and can be installed with pip:
pip install harpo
Suppose we have some git repository:
$ git rev-parse --is-inside-work-tree true
Then we can initialize harpo right away with:
This command will create necessary directory structure and bootstrap it with some default groups and domains:
[INFO] Initializing at /home/user/my_repo/.harpo [INFO] Add domain: all [INFO] Create group: all [INFO] Create group: adm [INFO] OK
Now it's time to add the first users. Harpo will look into your GPG public keyring and will try importing public keys from there.
harpo add user <Key ID> -g adm
Key ID can be any string, that identifies your key: email, surname, id, etc.
Let's say you have a key with email
harpo add user mr.robot -g adm
[INFO] Importing key A8.....0 - Mister Robot <email@example.com> [INFO] Add user 'Mister Robot <firstname.lastname@example.org>' to group 'adm' [INFO] Add user 'Mister Robot <email@example.com>' to group 'all' [INFO] Reencrypting everything!
Note, that we also indicated, that we want this user to be added to the
Also every user belongs to group
Encrypt some stuff
harpo encrypt all/my_password hunter2
This will create a new GPG encrypted file at
You can also encrypt entire files with
harpo encrypt-file all/bobs_password /home/alice/Downloads/bobs_password
harpo decrypt all/my_password
It will print the secret's contents to the STDOUT:
$ harpo decrypt all/my_password hunter2
Let's create another domain for our development-related secrets and another for production.
harpo add domain dev
harpo add domain prod
This will create
harpo add group developers
Currently only group
adm has access to both
Lets change this by allowing group
developers to read secrets in domain
harpo allow -g developers dev
Now if you add users to
developers group, they all will be able
to decrypt secrets in
harpo add user mr.developer -g developers
Harpo automatically reencrypts secrets when it's appropriate. If you want to trigger reencryption manually, run:
Secret — is a GPG encrypted file, stored inside a domain.
Its recipients list always contains users from group
adm and other recipients that are allowed to read secrets in its domain.
Domains provide a way to group secrets: all secrets inside a given domain have the same list of recipients. User can specify which groups/users can read secrets in a given domain.
There is one system domain created by default:
Its purpose is to store secrets, that can be decrypted by any existing user.
adm can decrypt any secrets in any domain.
Basically it's just a GPG recipient. Harpo identifies users by looking into its GPG public keyring located at
Group — is a list of users. There are two special system groups:
adm. They have following properties:
- Every user belongs to
all, hence can decrypt any secret in
admcan decrypt any secret in any domain
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|Filename, size & hash SHA256 hash help||File type||Python version||Upload date|
|harpo-0.5.11-py2-none-any.whl (16.8 kB) Copy SHA256 hash SHA256||Wheel||py2|
|harpo-0.5.11-py3-none-any.whl (20.5 kB) Copy SHA256 hash SHA256||Wheel||py3|