Skip to main content

A GPG-based secret storing/sharing library

Project description



Harpocrates (Ancient Greek: Ἁρποκράτης) was the god of silence, secrets and confidentiality.

Harpo is GPG-based secret storage/sharing library.

It is aims to be a convenient wrapper around GPG and tries to solve following problems:

  • Store secrets in a repository (currently only git is supported) in a secure manner
  • Provide role-based access to the stored secrets
  • Provide an easy way to reencrypt secrets

It was inspired by blackbox by StackExchange.


Harpo is available at and can be installed with pip:

pip install harpo

Quick start


Suppose we have some git repository:

$ git rev-parse --is-inside-work-tree

Then we can initialize harpo right away with:

harpo initialize

This command will create necessary directory structure and bootstrap it with some default groups and domains:

[INFO] Initializing at /home/user/my_repo/.harpo
[INFO] Add domain: all
[INFO] Create group: all
[INFO] Create group: adm

Add users

Now it's time to add the first users. Harpo will look into your GPG public keyring and will try importing public keys from there.

harpo add user <Key ID> -g adm

Key ID can be any string, that identifies your key: email, surname, id, etc.

Let's say you have a key with email

harpo add user mr.robot -g adm
[INFO] Importing key A8.....0 - Mister Robot <>
[INFO] Add user 'Mister Robot <>' to group 'adm'
[INFO] Add user 'Mister Robot <>' to group 'all'
[INFO] Reencrypting everything!

Note, that we also indicated, that we want this user to be added to the adm group. Also every user belongs to group all

Encrypt some stuff

harpo encrypt all/my_password hunter2

This will create a new GPG encrypted file at .harpo/domains/all/my_password.


You can also encrypt entire files with encrypt-file:

harpo encrypt-file all/bobs_password /home/alice/Downloads/bobs_password


harpo decrypt all/my_password

It will print the secret's contents to the STDOUT:

$ harpo decrypt all/my_password

Add domains

Let's create another domain for our development-related secrets and another for production.

harpo add domain dev
harpo add domain prod

This will create .harpo/domains/dev and .harpo/domains/prod.

Add groups

harpo add group developers

Granting access

Currently only group adm has access to both dev and prod domains. Lets change this by allowing group developers to read secrets in domain dev:

harpo allow -g developers dev

Now if you add users to developers group, they all will be able to decrypt secrets in dev domain:

harpo add user mr.developer -g developers


Harpo automatically reencrypts secrets when it's appropriate. If you want to trigger reencryption manually, run:

harpo reencrypt



Secret — is a GPG encrypted file, stored inside a domain.

Its recipients list always contains users from group adm and other recipients that are allowed to read secrets in its domain.


Domains provide a way to group secrets: all secrets inside a given domain have the same list of recipients. User can specify which groups/users can read secrets in a given domain.

There is one system domain created by default: all. Its purpose is to store secrets, that can be decrypted by any existing user.

Group adm can decrypt any secrets in any domain.


Basically it's just a GPG recipient. Harpo identifies users by looking into its GPG public keyring located at .harpo/keychain/pubkeyring.gpg


Group — is a list of users. There are two special system groups: all and adm. They have following properties:

  • Every user belongs to all, hence can decrypt any secret in all special domain,
  • And adm can decrypt any secret in any domain

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for harpo, version 0.5.12
Filename, size File type Python version Upload date Hashes
Filename, size harpo-0.5.12-py2-none-any.whl (16.8 kB) File type Wheel Python version py2 Upload date Hashes View
Filename, size harpo-0.5.12-py3-none-any.whl (20.5 kB) File type Wheel Python version py3 Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page