Skip to main content

Developer secret workbench: a pure-Python keystore with GUI and CLI for OS keyring and AWS Secrets Manager

Project description

keynest

Why? Because you're going to leak your .env files to git someday.

keynest is a local-first secret workbench for individual developers. It keeps named maps (json files) of configuration in your operating system's credential store or AWS Secrets Manager and makes the safest common operation the shortest one:

keynest run dev -- python app.py

The values are added only to that child process's environment. Your current shell is unchanged and keynest does not create a plaintext .env file.

keynest is useful when you:

  • switch among several projects or environments and want each one's values grouped together;
  • want a lightweight GUI for entering, masking, copying, and organizing development credentials;
  • need the same CLI workflow with either a laptop keychain or AWS Secrets Manager;
  • inherited a .env file and want to import it, then stop keeping the working copy in the repository; or
  • want repo-aware defaults so keynest run dev -- ... finds the right map after you move or clone a checkout.

How it compares

Tool category Better fit when How keynest differs
.env files Portability and framework-native loading matter more than plaintext-at-rest risk keynest avoids a working plaintext file and injects values at process launch
Password managers You need browser autofill, personal records, sharing, or polished mobile apps keynest organizes flat environment-style maps and focuses on developer processes
Team secret platforms You need sharing, access policy, rotation, approvals, or centralized audit keynest is deliberately single-developer and has no server of its own
Cloud-only secret stores Production workloads already fetch secrets directly from a cloud provider keynest adds a local OS-keyring option, a GUI, and one workflow across local and AWS storage

keynest is alpha software. It reduces accidental exposure through files, commits, shell exports, and casual display; it is not a boundary against malware, a compromised user account, or an untrusted child process.

Installation

Python 3.11 or newer is required. An isolated tool installation is recommended:

uv tool install keynest
# or
pipx install keynest

Plain pip also works:

pip install keynest

The package installs keynest and keynest-gui. Linux users may also need their distribution's Tkinter package and a running Secret Service or KWallet session.

Quick start

Check that the OS credential store works, then create a map:

keynest health
keynest set my-app/dev DATABASE_URL "postgresql://localhost/app"
keynest set my-app/dev LOG_LEVEL info
keynest run my-app/dev -- python app.py

Passing a real secret to set can leave it in shell history, so use keynest-gui for interactive entry. The GUI can also import pasted .env content, generate passwords, reveal or copy values temporarily, and manage maps.

Inside a Git checkout, a bare map name defaults to a folder derived from the remote, such as /acme.my-app/dev. An explicit folder/name always wins:

keynest set dev API_TOKEN value       # detected repo folder, if any
keynest set default/dev API_TOKEN value
keynest run dev -- npm run dev

Use keynest init-repo to create a secret-free .keynest marker with a stable folder choice, or pass --no-repo to disable repo-aware resolution for one command.

AWS Secrets Manager is selected per command:

keynest health --aws --profile personal --region us-east-1
keynest run --aws --profile personal --region us-east-1 dev -- python app.py

Run keynest --help for all commands. The full documentation covers the quick start, CLI, GUI, repository defaults, storage model, AWS backend, and security limitations.

Contributing

See CONTRIBUTING.md.

License

MIT — see LICENSE.

Changelog

See CHANGELOG.md.

Prior Art

aws-vault is the best prior art and is recommended over this tool for the moment. The main advantage of keynest will be that it is pure Python and ships a GUI. keynest also borrows patterns shamelessly from chamber, SOPS, KeePassXC, and the developer-docs-as-a-feature approach of Infisical / Doppler / 1Password.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keynest-0.1.0.tar.gz (84.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

keynest-0.1.0-py3-none-any.whl (76.4 kB view details)

Uploaded Python 3

File details

Details for the file keynest-0.1.0.tar.gz.

File metadata

  • Download URL: keynest-0.1.0.tar.gz
  • Upload date:
  • Size: 84.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for keynest-0.1.0.tar.gz
Algorithm Hash digest
SHA256 da7eba01e4f8c3a57c3bae18b768ae099196ca9855cdf53d42d77dfd82720b00
MD5 c3e294516e94ac57454e1a893c809754
BLAKE2b-256 5ad2cade4b12767995e1650d0ea823e28df752b9f715a98dd82d506c99ebf87b

See more details on using hashes here.

Provenance

The following attestation bundles were made for keynest-0.1.0.tar.gz:

Publisher: release.yml on matthewdeanmartin/keynest

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file keynest-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: keynest-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 76.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for keynest-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 958c7777bb369483c258a2cc290dd5569f373b72eae3e96a23745f74461f5b69
MD5 6eadb94c71de8099d1d0238de5506269
BLAKE2b-256 b40b3da08cbf6840658f8521bea4a754d7c30bc0da3d86121960338b2489e861

See more details on using hashes here.

Provenance

The following attestation bundles were made for keynest-0.1.0-py3-none-any.whl:

Publisher: release.yml on matthewdeanmartin/keynest

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page