Skip to main content

Unified credentials framework — encrypted config, OS keystore, Vaultwarden integration

Project description

Locke — Python

Unified credentials framework — encrypted config, OS keystore, Vaultwarden integration.

Install

For local development from this repository:

cd python
pip install -e ".[dev]"

From the repository root on macOS, install the public Locke CLI/package locally:

python3 -m pip install -e ./python
locke --version

The locke executable is installed into the active Python environment's bin directory, so make sure that directory is on your PATH.

Usage

Library

import locke

# Load and decrypt config → flat env vars
env = locke.load_config(".locke/config.encrypted.json")
# env["MONGO_URI"], env["SENTRY_DSN"], etc.

# Resolve a single credential
cred = locke.resolve_credential("LOCKE_ENCRYPTION_KEY")

# Get or set a vault secret
secret = locke.get_vault_secret("myproject/staging/api_key")
locke.set_vault_secret("myproject/staging/api_key", "new-value")

# Check Locke-owned setup placeholders ("FILL_ME")
if locke.is_placeholder(secret):
    raise RuntimeError("vault secret still needs a real value")

CLI

# Decrypt + flatten → shell exports
eval $(locke env)

# Decrypt to stdout
locke decrypt

# Encrypt plaintext config
locke encrypt

# Manage OS keystore
locke keystore set LOCKE_ENCRYPTION_KEY --prompt
locke keystore get LOCKE_ENCRYPTION_KEY

# Get vault secret
locke vault get myproject/staging/api_key

# Create missing vault entries from locke.json, then fill them interactively
locke vault setup
locke vault setup --interactive

# Initialize project
locke init --project myproject --tenant staging

Vault placeholders

Locke uses locke.PLACEHOLDER_VALUE ("FILL_ME") for vault entries that are known but not filled yet. Use locke.is_placeholder(value) instead of hard-coding the sentinel. VaultClient.get_secret() warns when it returns a placeholder; VaultClient.set_secret(path, None) or an empty value writes a placeholder and warns.

Environment Variables

Variable Purpose
LOCKE_ENV Override environment detection
LOCKE_ENCRYPTION_KEY Encryption key (if not in keystore)
LOCKE_USE_BIOMETRIC Set false to disable biometric gating
LOCKE_VAULT_URL Vaultwarden server URL
LOCKE_VAULT_USERNAME Vaultwarden username

Testing

cd python
pip install -e ".[dev]"
pytest

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

locke-0.8.0.tar.gz (91.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

locke-0.8.0-py3-none-any.whl (58.6 kB view details)

Uploaded Python 3

File details

Details for the file locke-0.8.0.tar.gz.

File metadata

  • Download URL: locke-0.8.0.tar.gz
  • Upload date:
  • Size: 91.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.14

File hashes

Hashes for locke-0.8.0.tar.gz
Algorithm Hash digest
SHA256 234a11f250dfde13d33e1fb1b00f77a044e36727018e1aa204148aececc7fa72
MD5 aecac9b74ddd79c9e46b45ccedcddfc7
BLAKE2b-256 f84aa5cdb7246744f6f5bc6f570b91ff5278137d70630a6dcf1ec88257c88852

See more details on using hashes here.

File details

Details for the file locke-0.8.0-py3-none-any.whl.

File metadata

  • Download URL: locke-0.8.0-py3-none-any.whl
  • Upload date:
  • Size: 58.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.14

File hashes

Hashes for locke-0.8.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b33595af1da147d11047dc6087efebd3ca32f56ffc59c4d4c84119e46aabc05f
MD5 9a11d932d850e745cb7547655c072c6a
BLAKE2b-256 269f6f828d57f3070dbd160f3d0a0e3298c214bd3208ec0f8d5f5f5a7074a938

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page