Python client library for the HelvetiSafe secret management system with zero-knowledge encryption

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for TheM0f from gravatar.com TheM0f

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Helvetisafe contributors
  • Tags secrets , vault , encryption , zero-knowledge , oauth , helvetisafe
  • Requires: Python >=3.8
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

helvetisafe-client

Python client library for the Helvetisafe secret management system with zero-knowledge encryption.

Status

✅ v0.1.0 — available

Features

  • Pythonic interface for the Helvetisafe API
  • OAuth 2.0 Client Credentials authentication with automatic token lifecycle management
  • Client-side zero-knowledge encryption (AES-256-GCM) and decryption
  • RSA-OAEP Org Key unwrapping
  • Two authentication modes:
    • RSA Key mode — supply a PEM private key file or bytes
    • Password mode — supply a service account password; the client derives the key automatically via Argon2id
  • Full secret operations: create, get, update, delete, list
  • Structured exceptions for all error conditions
  • Type hints throughout

Installation

pip install helvetisafe-client

Quick Start

from helvetisafe import HelvetisafeClient

# RSA Key mode (recommended for production)
client = HelvetisafeClient(
    base_url="https://vault.helvetisafe.ch",
    client_id="your-client-id",
    client_secret="your-client-secret",
    private_key_path="/path/to/service-account-private-key.pem",
)

# Password mode
client = HelvetisafeClient(
    base_url="https://vault.helvetisafe.ch",
    client_id="your-client-id",
    client_secret="your-client-secret",
    password="your-service-account-password",
)

Usage

# Create a secret (encrypted automatically on the client)
client.secrets.create("database_password", "s3cr3t-v@lue")

# Read a secret (decrypted automatically on the client)
secret = client.secrets.get("database_password")
print(secret.value)

# Update a secret
client.secrets.update("database_password", "n3w-v@lue")

# List secrets — metadata only, no plaintext values
for s in client.secrets.list():
    print(s.key, s.expires_at)

# Delete a secret
client.secrets.delete("database_password")

Setting an expiry

from datetime import datetime, timedelta, timezone

expires = datetime.now(tz=timezone.utc) + timedelta(days=30)
client.secrets.create("temp_token", "abc123", expires_at=expires)

Error handling

from helvetisafe import (
    HelvetisafeAuthError,
    HelvetisafeNotFoundError,
    HelvetisafeForbiddenError,
    HelvetisafeRateLimitError,
)

try:
    secret = client.secrets.get("my_key")
except HelvetisafeNotFoundError:
    print("Secret does not exist.")
except HelvetisafeForbiddenError:
    print("Insufficient permissions.")
except HelvetisafeRateLimitError:
    print("Rate limit exceeded.")
except HelvetisafeAuthError:
    print("Authentication failed.")

API Reference

HelvetisafeClient

Parameter Type Required Description
base_url str Base URL of the Helvetisafe instance
client_id str OAuth 2.0 client ID
client_secret str OAuth 2.0 client secret
private_key_path str one of Path to RSA private key PEM file
private_key_pem bytes one of PEM-encoded RSA private key bytes
password str one of Service account password (password mode)
scopes list[str] OAuth scopes (default: all)
session requests.Session Custom HTTP session

client.secrets

Method Description
get(key) Retrieve and decrypt a secret
create(key, value, expires_at=None) Create a new encrypted secret
update(key, value, expires_at=None) Update an existing encrypted secret
delete(key) Delete a secret
list() List all visible secret keys (metadata only)

Exceptions

Exception HTTP status Description
HelvetisafeError Base exception
HelvetisafeAuthError 401 Authentication / token failure
HelvetisafeCryptoError Local cryptographic operation failed
HelvetisafeAPIError any Generic API error
HelvetisafeNotFoundError 404 Secret not found
HelvetisafeConflictError 409 Secret already exists
HelvetisafeForbiddenError 403 Insufficient permissions
HelvetisafeRateLimitError 429 Rate limit exceeded

Architecture

HelvetisafeClient
  │
  ├─► POST /oauth/token
  │       ← access_token  (refreshed automatically 30 s before expiry)
  │
  ├─► GET  /api/v1/credentials/org-key
  │       ← encrypted Org Key (RSA-OAEP)
  │   RSA decrypt → Org Key  (held in memory for client lifetime)
  │
  ├─► secrets.create / update
  │   AES-256-GCM encrypt (random nonce) → POST /api/v1/secrets/{key}
  │
  └─► secrets.get
      GET /api/v1/secrets/{key}  ← AES-256-GCM ciphertext
      AES decrypt → plaintext

The server stores and transmits only ciphertext. Plaintext values never leave the process.

Requirements

  • Python 3.8+
  • cryptography >= 41.0
  • requests >= 2.28
  • argon2-cffi >= 23.1

Development

pip install -e ".[dev]"
pytest tests/ -v

Examples

See the examples/ directory:

  • basic_usage.py — create, read, update, list, and delete a secret
  • env_config.py — load all configuration from environment variables

Contributing

Contributions are welcome. Please open an issue or pull request in this repository.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for TheM0f from gravatar.com TheM0f

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Helvetisafe contributors
  • Tags secrets , vault , encryption , zero-knowledge , oauth , helvetisafe
  • Requires: Python >=3.8
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.1.2

This version

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

helvetisafe_client-0.1.1.tar.gz (20.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

helvetisafe_client-0.1.1-py3-none-any.whl (15.4 kB view details)

Uploaded Python 3

File details

Details for the file helvetisafe_client-0.1.1.tar.gz.

File metadata

  • Download URL: helvetisafe_client-0.1.1.tar.gz
  • Upload date:
  • Size: 20.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for helvetisafe_client-0.1.1.tar.gz
Algorithm Hash digest
SHA256 b37c9f0b24afa19a4e6a9aa5c663197e47b61efeced3996867dabd912180d562
MD5 b39ec17c82c5ab7f10b7571bffecc1bc
BLAKE2b-256 a494de775e9d9491310af45981f18f22b8ac5789b3caadcab4c0fad07c747c59

See more details on using hashes here.

Provenance

The following attestation bundles were made for helvetisafe_client-0.1.1.tar.gz:

Publisher: publish.yml on TheM0f/helvetisafe-python-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file helvetisafe_client-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for helvetisafe_client-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 426dd15251bdf68ca3be13538daa879514b5ba71ca989bcb0435f50de57c5c29
MD5 47d6a5fa7e32b60f074d07ca89e4058f
BLAKE2b-256 61cd22477dd15b1d6b254ad530381d97a7220b3b4fcd691d1bf6a4e3ffb0ba59

See more details on using hashes here.

Provenance

The following attestation bundles were made for helvetisafe_client-0.1.1-py3-none-any.whl:

Publisher: publish.yml on TheM0f/helvetisafe-python-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page