Developer secret workbench: a pure-Python keystore with GUI and CLI for OS keyring and AWS Secrets Manager
Project description
keynest
Why? Because you're going to leak your .env files to git someday.
keynest is a local-first secret workbench for individual developers. It keeps named maps (json files) of configuration in your operating system's credential store or AWS Secrets Manager and makes the safest common operation the shortest one:
keynest run dev -- python app.py
The values are added only to that child process's environment. Your current shell is unchanged and keynest does not
create a plaintext .env file.
keynest is useful when you:
- switch among several projects or environments and want each one's values grouped together;
- want a lightweight GUI for entering, masking, copying, and organizing development credentials;
- need the same CLI workflow with either a laptop keychain or AWS Secrets Manager;
- inherited a
.envfile and want to import it, then stop keeping the working copy in the repository; or - want repo-aware defaults so
keynest run dev -- ...finds the right map after you move or clone a checkout.
How it compares
| Tool category | Better fit when | How keynest differs |
|---|---|---|
.env files |
Portability and framework-native loading matter more than plaintext-at-rest risk | keynest avoids a working plaintext file and injects values at process launch |
| Password managers | You need browser autofill, personal records, sharing, or polished mobile apps | keynest organizes flat environment-style maps and focuses on developer processes |
| Team secret platforms | You need sharing, access policy, rotation, approvals, or centralized audit | keynest is deliberately single-developer and has no server of its own |
| Cloud-only secret stores | Production workloads already fetch secrets directly from a cloud provider | keynest adds a local OS-keyring option, a GUI, and one workflow across local and AWS storage |
keynest is alpha software. It reduces accidental exposure through files, commits, shell exports, and casual display; it is not a boundary against malware, a compromised user account, or an untrusted child process.
Installation
Python 3.11 or newer is required. An isolated tool installation is recommended:
uv tool install keynest
# or
pipx install keynest
Plain pip also works:
pip install keynest
The package installs keynest and keynest-gui. Linux users may also need their distribution's Tkinter package and
a running Secret Service or KWallet session.
Quick start
Check that the OS credential store works, then create a map:
keynest health
keynest set my-app/dev DATABASE_URL "postgresql://localhost/app"
keynest set my-app/dev LOG_LEVEL info
keynest run my-app/dev -- python app.py
Passing a real secret to set can leave it in shell history, so use keynest-gui for interactive entry. The GUI can
also import pasted .env content, generate passwords, reveal or copy values temporarily, and manage maps.
Inside a Git checkout, a bare map name defaults to a folder derived from the remote, such as
/acme.my-app/dev. An explicit folder/name always wins:
keynest set dev API_TOKEN value # detected repo folder, if any
keynest set default/dev API_TOKEN value
keynest run dev -- npm run dev
Use keynest init-repo to create a secret-free .keynest marker with a stable folder choice, or pass --no-repo to
disable repo-aware resolution for one command.
AWS Secrets Manager is selected per command:
keynest health --aws --profile personal --region us-east-1
keynest run --aws --profile personal --region us-east-1 dev -- python app.py
Run keynest --help for all commands. The full documentation covers the quick start,
CLI, GUI, repository defaults,
storage model, AWS backend, and security limitations.
Contributing
See CONTRIBUTING.md.
License
MIT — see LICENSE.
Changelog
See CHANGELOG.md.
Prior Art
aws-vault is the best prior art and is recommended
over this tool for the moment. The main advantage of keynest will be that it is pure Python
and ships a GUI. keynest also borrows patterns shamelessly from chamber, SOPS, KeePassXC,
and the developer-docs-as-a-feature approach of Infisical / Doppler / 1Password.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file keynest-0.1.0.tar.gz.
File metadata
- Download URL: keynest-0.1.0.tar.gz
- Upload date:
- Size: 84.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
da7eba01e4f8c3a57c3bae18b768ae099196ca9855cdf53d42d77dfd82720b00
|
|
| MD5 |
c3e294516e94ac57454e1a893c809754
|
|
| BLAKE2b-256 |
5ad2cade4b12767995e1650d0ea823e28df752b9f715a98dd82d506c99ebf87b
|
Provenance
The following attestation bundles were made for keynest-0.1.0.tar.gz:
Publisher:
release.yml on matthewdeanmartin/keynest
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keynest-0.1.0.tar.gz -
Subject digest:
da7eba01e4f8c3a57c3bae18b768ae099196ca9855cdf53d42d77dfd82720b00 - Sigstore transparency entry: 2030173500
- Sigstore integration time:
-
Permalink:
matthewdeanmartin/keynest@8a009a59d79e3d83fadbdbfdc2b6336e808fc6a7 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/matthewdeanmartin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@8a009a59d79e3d83fadbdbfdc2b6336e808fc6a7 -
Trigger Event:
release
-
Statement type:
File details
Details for the file keynest-0.1.0-py3-none-any.whl.
File metadata
- Download URL: keynest-0.1.0-py3-none-any.whl
- Upload date:
- Size: 76.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
958c7777bb369483c258a2cc290dd5569f373b72eae3e96a23745f74461f5b69
|
|
| MD5 |
6eadb94c71de8099d1d0238de5506269
|
|
| BLAKE2b-256 |
b40b3da08cbf6840658f8521bea4a754d7c30bc0da3d86121960338b2489e861
|
Provenance
The following attestation bundles were made for keynest-0.1.0-py3-none-any.whl:
Publisher:
release.yml on matthewdeanmartin/keynest
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keynest-0.1.0-py3-none-any.whl -
Subject digest:
958c7777bb369483c258a2cc290dd5569f373b72eae3e96a23745f74461f5b69 - Sigstore transparency entry: 2030173675
- Sigstore integration time:
-
Permalink:
matthewdeanmartin/keynest@8a009a59d79e3d83fadbdbfdc2b6336e808fc6a7 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/matthewdeanmartin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@8a009a59d79e3d83fadbdbfdc2b6336e808fc6a7 -
Trigger Event:
release
-
Statement type: