Skip to main content

Unified credentials framework — encrypted config, OS keystore, Vaultwarden integration

Project description

Locke — Python

Unified credentials framework — encrypted config, OS keystore, Vaultwarden integration.

Install

For local development from this repository:

cd python
pip install -e ".[dev]"

From the repository root on macOS, install the public Locke CLI/package locally:

python3 -m pip install -e ./python
locke --version

The locke executable is installed into the active Python environment's bin directory, so make sure that directory is on your PATH.

Usage

Library

import locke

# Load and decrypt config → flat env vars
env = locke.load_config(".locke/config.encrypted.json")
# env["MONGO_URI"], env["SENTRY_DSN"], etc.

# Resolve a single credential
cred = locke.resolve_credential("LOCKE_ENCRYPTION_KEY")

# Get or set a vault secret
secret = locke.get_vault_secret("myproject/staging/api_key")
locke.set_vault_secret("myproject/staging/api_key", "new-value")

# Check Locke-owned setup placeholders ("FILL_ME")
if locke.is_placeholder(secret):
    raise RuntimeError("vault secret still needs a real value")

CLI

# Decrypt + flatten → shell exports
eval $(locke env)

# Decrypt to stdout
locke decrypt

# Encrypt plaintext config
locke encrypt

# Manage OS keystore
locke keystore set LOCKE_ENCRYPTION_KEY --prompt
locke keystore get LOCKE_ENCRYPTION_KEY

# Get vault secret
locke vault get myproject/staging/api_key

# Create missing vault entries from locke.json, then fill them interactively
locke vault setup
locke vault setup --interactive

# Initialize project
locke init --project myproject --tenant staging

Vault placeholders

Locke uses locke.PLACEHOLDER_VALUE ("FILL_ME") for vault entries that are known but not filled yet. Use locke.is_placeholder(value) instead of hard-coding the sentinel. VaultClient.get_secret() warns when it returns a placeholder; VaultClient.set_secret(path, None) or an empty value writes a placeholder and warns.

Environment Variables

Variable Purpose
LOCKE_ENV Override environment detection
LOCKE_ENCRYPTION_KEY Encryption key (if not in keystore)
LOCKE_USE_BIOMETRIC Set false to disable biometric gating
LOCKE_VAULT_URL Vaultwarden server URL
LOCKE_VAULT_USERNAME Vaultwarden username

Testing

cd python
pip install -e ".[dev]"
pytest

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

locke-0.6.1.tar.gz (88.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

locke-0.6.1-py3-none-any.whl (56.0 kB view details)

Uploaded Python 3

File details

Details for the file locke-0.6.1.tar.gz.

File metadata

  • Download URL: locke-0.6.1.tar.gz
  • Upload date:
  • Size: 88.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for locke-0.6.1.tar.gz
Algorithm Hash digest
SHA256 53e82b235376de35ac7689d8b8212bdaf11bbd9eb82c3ab02a4ad13c8f481693
MD5 3b26f3ebb68b9fe1f334527454502a04
BLAKE2b-256 286dc1df3aa244e510b0ee3f46584ee3d8b50835820cc404a7da22d97606ddd8

See more details on using hashes here.

File details

Details for the file locke-0.6.1-py3-none-any.whl.

File metadata

  • Download URL: locke-0.6.1-py3-none-any.whl
  • Upload date:
  • Size: 56.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for locke-0.6.1-py3-none-any.whl
Algorithm Hash digest
SHA256 0c0a65071ee744990c4698f60f8d157d3c61d7ae3db82ca6b849f24e777cc0a7
MD5 c94154798acc7989592e9870d2586989
BLAKE2b-256 f18433456ab2388c1fa77b2c6ead4e6ae896901e1fae7a2f07dab22cab5207e0

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page