Skip to main content

Unified credentials framework — encrypted config, OS keystore, Vaultwarden integration

Project description

Locke — Python

Unified credentials framework — encrypted config, OS keystore, Vaultwarden integration.

Install

For local development from this repository:

cd python
pip install -e ".[dev]"

From the repository root on macOS, install the public Locke CLI/package locally:

python3 -m pip install -e ./python
locke --version

The locke executable is installed into the active Python environment's bin directory, so make sure that directory is on your PATH.

Usage

Library

import locke

# Load and decrypt config → flat env vars
env = locke.load_config(".locke/config.encrypted.json")
# env["MONGO_URI"], env["SENTRY_DSN"], etc.

# Resolve a single credential
cred = locke.resolve_credential("LOCKE_ENCRYPTION_KEY")

# Get or set a vault secret
secret = locke.get_vault_secret("myproject/staging/api_key")
locke.set_vault_secret("myproject/staging/api_key", "new-value")

# Check Locke-owned setup placeholders ("FILL_ME")
if locke.is_placeholder(secret):
    raise RuntimeError("vault secret still needs a real value")

CLI

# Decrypt + flatten → shell exports
eval $(locke env)

# Decrypt to stdout
locke decrypt

# Encrypt plaintext config
locke encrypt

# Manage OS keystore
locke keystore set LOCKE_ENCRYPTION_KEY --prompt
locke keystore get LOCKE_ENCRYPTION_KEY

# Get vault secret
locke vault get myproject/staging/api_key

# Create missing vault entries from locke.json, then fill them interactively
locke vault setup
locke vault setup --interactive

# Initialize project
locke init --project myproject --tenant staging

Vault placeholders

Locke uses locke.PLACEHOLDER_VALUE ("FILL_ME") for vault entries that are known but not filled yet. Use locke.is_placeholder(value) instead of hard-coding the sentinel. VaultClient.get_secret() warns when it returns a placeholder; VaultClient.set_secret(path, None) or an empty value writes a placeholder and warns.

Environment Variables

Variable Purpose
LOCKE_ENV Override environment detection
LOCKE_ENCRYPTION_KEY Encryption key (if not in keystore)
LOCKE_USE_BIOMETRIC Set false to disable biometric gating
LOCKE_VAULT_URL Vaultwarden server URL
LOCKE_VAULT_USERNAME Vaultwarden username

Testing

cd python
pip install -e ".[dev]"
pytest

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

locke-0.7.0.tar.gz (89.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

locke-0.7.0-py3-none-any.whl (57.3 kB view details)

Uploaded Python 3

File details

Details for the file locke-0.7.0.tar.gz.

File metadata

  • Download URL: locke-0.7.0.tar.gz
  • Upload date:
  • Size: 89.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.14

File hashes

Hashes for locke-0.7.0.tar.gz
Algorithm Hash digest
SHA256 289702452441864a4aa8c5b4f35105263bff07462a305f4c406eba162e9c6f6c
MD5 23d909cef0ffe3f18dd1434f3f8a9538
BLAKE2b-256 4ae2d295fa4e75391067972fab43edfdc565e2f032d2cbadf8c1d43b112a2852

See more details on using hashes here.

File details

Details for the file locke-0.7.0-py3-none-any.whl.

File metadata

  • Download URL: locke-0.7.0-py3-none-any.whl
  • Upload date:
  • Size: 57.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.14

File hashes

Hashes for locke-0.7.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a175d99070f0a41845320f9cb199ce1182d7fa3462619c1e177fb4bde4ab4e0e
MD5 4b455b1ad70a9b806faa62c783b1af14
BLAKE2b-256 de2c5d92c7337a5fea5541c88e16250345f13f4ea9d757ab8f8adbc5c65236ba

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page