Secure token management library for CLI tools, using two-layer encryption with local key and 1Password vault integration.
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
KeySentinel 🔐
KeySentinel is a lightweight, secure token encryption library and CLI tool for managing sensitive credentials with strong Zero Trust principles.
📖 Read the full article explaining the Two-Layer Security Architecture here
✨ Features
- 🔐 Two-layer token encryption: local symmetric key + vault storage
- 🚀 Developer-friendly CLI (keysentinel) with zero plaintext leakage
- 🔥 Predefined profiles for common APIs (AWS, GitHub, OpenAI, GCP, etc.)
- 🛡️ Extensible custom profiles via JSON
- 💩 Zero Trust Local Environment Enforcement
- 🗋 Secure clipboard copy with automatic timeout cleaning
- ❌ Export to plaintext files (.env, .json) intentionally blocked for safety
🚀 Why KeySentinel?
Most CLI tools expose credentials through .env files or unsecured memory spaces.
KeySentinel breaks this insecure paradigm:
- No unencrypted secrets on disk.
- No unguarded outputs without user consent.
- Ephemeral secrets that self-destroy after a timeout.
- Clear warnings to educate developers about security risks.
"If it’s not encrypted, it’s exposed. If it’s on disk, it’s compromised." — The Zen of Zero Trust
⚡ Quick Usage
Encrypt and store a token via Python
from keysentinel import upsert_encrypted_fields
upsert_encrypted_fields(
fields={"github_token": "ghp_xxx123"},
item_title="GitHub CLI Token",
)
Retrieve and decrypt a token via Python
from keysentinel import retrieve_and_decrypt_fields
fields = retrieve_and_decrypt_fields("GitHub CLI Token")
print(fields["github_token"])
Using the CLI (Recommended)
# Encrypt and store fields securely (values prompted securely)
keysentinel encrypt-token --title "AWS CLI Credentials" --fields aws_access_key_id --fields aws_secret_access_key
# Or use a predefined profile
keysentinel encrypt-token --title "GitHub Token" --profile github
# Retrieve and decrypt fields
keysentinel get-token --title "AWS CLI Credentials"
⚠️ Credentials will be cleared from your terminal and memory automatically after a short timeout.
🛡️ Security Model
| Aspect | Behavior |
|---|---|
| Local Encryption | AES256/Fernet with a user-local symmetric key |
| Vault Transport | Secrets stored inside 1Password CLI (“op”) |
| Decryption | Memory-only, no disk writes |
| Export | Blocked by default (no .env, no .json) |
| User Awareness | Visual warnings on decrypted output |
| Secret Lifecycle | Timeout auto-clears memory and screen |
📂 Token Profiles (Built-in)
KeySentinel supports predefined profiles to simplify common API credential handling:
| Profile | Fields |
|---|---|
| aws | aws_access_key_id, aws_secret_access_key |
| github | github_token |
| gcp | gcp_client_email, gcp_private_key, gcp_project_id |
| openai | openai_api_key |
| azure | azure_client_id, azure_client_secret, azure_tenant_id, azure_subscription_id |
| slack | slack_token |
and many others… (30+ profiles supported!)
You can list and use these profiles by passing --profile <profile_name>.
🛠️ Extend with Custom Profiles
You can extend KeySentinel by creating a file at:
~/.keysentinel_profiles.json
Example content:
{
"huggingface": {
"description": "Hugging Face API Token",
"fields": ["hf_token"]
},
"figma": {
"description": "Figma Personal Access Token",
"fields": ["figma_token"]
}
}
When running encrypt-token, your custom profiles will be automatically available!
❌ Why Export is Blocked
KeySentinel blocks plaintext exports (--export-env, --export-json) intentionally.
Attempting to use them shows this educational warning:
⚠️ Do NOT store or copy them into plaintext files or version control.
"If it's not encrypted, it's exposed. If it's on disk, it's compromised."
from "The Zen of Zero Trust"
For more info:
- run:
import zero_trust - read: Zero Trust Local Environment Manifesto
📜 Zero Trust Manifest
You can load the philosophy inside Python:
import zero_trust
Or read it online:
👉 Zero Trust Local Environment Manifesto
🔗 Related Reading
- Zero Trust Architecture (NIST)
- Zero Trust Local Environment Manifesto
- Two-Layer Security Architecture for Token Management
🛃️ Roadmap
- Secure CLI operations
- Custom and extensible token profiles
- Memory-timeout auto-clear after exposure
- Multi-vault support (future)
- Bitwarden CLI integration (future)
⚖️ License
MIT License
👨💼 Author
Built with ❤️ by Davi Luiz Guides
KeySentinel: Secure your tokens, secure your workflows. 🔐
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file keysentinel-0.2.9.tar.gz.
File metadata
- Download URL: keysentinel-0.2.9.tar.gz
- Upload date:
- Size: 19.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b00d894aff4e143599046dc4f532e3a77a666378f8a849a04d58cee685189b30
|
|
| MD5 |
2d25e3edc587ac11b388a0190fcf42e6
|
|
| BLAKE2b-256 |
cabe40b318b7cc7337f1843a0d0dcecf9994cfb0006bb0e4e5ccd8781e6ec95c
|
Provenance
The following attestation bundles were made for keysentinel-0.2.9.tar.gz:
Publisher:
publish-pypi.yml on daviguides/keysentinel
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keysentinel-0.2.9.tar.gz -
Subject digest:
b00d894aff4e143599046dc4f532e3a77a666378f8a849a04d58cee685189b30 - Sigstore transparency entry: 915284839
- Sigstore integration time:
-
Permalink:
daviguides/keysentinel@52c8887ff8f496564c4f5f22adc209fe0d4ec101 -
Branch / Tag:
refs/tags/v0.2.9 - Owner: https://github.com/daviguides
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@52c8887ff8f496564c4f5f22adc209fe0d4ec101 -
Trigger Event:
push
-
Statement type:
File details
Details for the file keysentinel-0.2.9-py3-none-any.whl.
File metadata
- Download URL: keysentinel-0.2.9-py3-none-any.whl
- Upload date:
- Size: 15.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
75e7144e92623e4d37be7c94e8dba01e9d2c6bb9a3b1f9cd2175023649362807
|
|
| MD5 |
36b5560ab6679a19be8fb737a3f707b8
|
|
| BLAKE2b-256 |
58082b69c871cd37ff9c25d35585c38677e556b77e0eec946b5fbd05dd0e7954
|
Provenance
The following attestation bundles were made for keysentinel-0.2.9-py3-none-any.whl:
Publisher:
publish-pypi.yml on daviguides/keysentinel
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keysentinel-0.2.9-py3-none-any.whl -
Subject digest:
75e7144e92623e4d37be7c94e8dba01e9d2c6bb9a3b1f9cd2175023649362807 - Sigstore transparency entry: 915284987
- Sigstore integration time:
-
Permalink:
daviguides/keysentinel@52c8887ff8f496564c4f5f22adc209fe0d4ec101 -
Branch / Tag:
refs/tags/v0.2.9 - Owner: https://github.com/daviguides
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@52c8887ff8f496564c4f5f22adc209fe0d4ec101 -
Trigger Event:
push
-
Statement type:
