A simple tool for encrypting (only) the secrets inside text files
Project description
Mask in situ
Mask in situ makes it easy to encrypt only specific sections of files (for example, secrets such as password in configuration files).
The intended use is to allow config files to be shared in a partially-encrypted form, so that secrets are protected but the overall structure of the file, and the value of non-sensitive options are visible.
Usage
If you have a config file that contains secrets, indicate the values to be encrypted by enclosing them in %MASK{..}
, then run the encrypt
command:
You can generate a key using the generate-key
subcommand.
...
You can provide the name of an environment variable containing the key as an option; if you do not, you will be prompted for the key interactively.
Alternatives
Listing an alternative tool below is not an endorsement: it means I am aware that the tool exists, not that I have evaluated it.
Encrypt part of config file
By default, SOPS encrypts every value (but not hhe keys) in a YAML/JSON file, but it can optionally encrypt only specific values.
However, it works only for YAMl/JSON files (not arbitrary text files).
Encrypt the whole file
A significant number of tools have bene developed to handle the encryption of single files; many of these support integration with Git.
-
tomb (GNU/linux only)
-
git-encrypt - deprecated
(git-nerps, git-blur, git-easy-crypt)
-
BlackBox - specifically intended for secrets
As the whole file is encrypted, checking or editing a non-sensitive part of the file requires decrypting it.
Manually remove the secrets
The original file could be edited to manually replace the secrets with placeholders, and the secrets could be stored separately in a passwword manager or encrypted file.
When a file containing plaintext secrets is required, they can be manually retrieved and re-added.
However, this requires manual effort. In particular, whenever any change is made, it must be manually made to both the file containing the placeholders, and any versions containing plaintext secrets.
Automatically fetch secrets from a vault
An alternative is not store secrets in any config files, and instead load them from a centralised store provided by a system like:
- HashiCorp Vault
- Square's Keywhiz
- Akeyless Vault
- Thycotic Secret Server
- AWS Secrets Manager
- CloudFlare's Red October (announcement blog post)
This provides advantages like auditing and the ability to more easily rotate credentials, but requires additional infrastructure.
Tool-specific approaches
These typically involving extracting secrets from a config to a separate encrypted file that is then imported.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for mask_in_situ-0.1.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 863363d2f08a9c110826a33c93ce896f616a2b88724e3426354201579fd4087a |
|
MD5 | bda36186b9d00f75e64cc99091b8f798 |
|
BLAKE2b-256 | 6f3ed0c83b96c3db9e22737523999e90fe1d9a973ed5fd401601c71aab2e2cb8 |