A universal secrets manager
Project description
Mind Castle - Build a wall around your secrets
A universal store for your secret data. Don't delay securing you or your customer's data by deliberating over cloud secret stores. Mind Castle makes it easy to get started, and easy to switch between cloud secret stores.
Mind Castle currently supports:
- HashiCorp Vault
- AWS Secrets Manager
- In-memory and JSON stores that should only be used for testing/migration
Architecture
Mind Castle comes in three parts:
- A unified interface for several secret stores.
- An SQLAlchemy column type that transparently stores and retrieves secrets for you.
- A migration tool to convert your existing DB column data into secrets.
Some other notes:
- Mind Castle is configured and secret stores are initialised at import time. That means env-vars used for configuration need to be defined when Mind Castle is imported.
- Mind Castle makes no attempt to manage secrets in memory. Memory management in Python is futile, and if you need that level of control it's best to use another language.
Install
pip install mind-castle
Configure
You can configure Mind Castle by setting environment variables for your chosen secret store. To see what configuration options are required for each store:
$ python -m mind_castle
Mind-Castle - Shhhhh
====================
Available secret stores:
memory - Required env vars: []
awssecretsmanager - Required env vars: ['MIND_CASTLE_AWS_REGION', 'MIND_CASTLE_AWS_ACCESS_KEY_ID', 'MIND_CASTLE_AWS_SECRET_ACCESS_KEY']
hashicorpvault - Required env vars: ['MIND_CASTLE_VAULT_HOST', 'MIND_CASTLE_VAULT_PORT', 'MIND_CASTLE_VAULT_TOKEN']
json - Required env vars: []
Use
In your model file:
from mind_castle.sqlalchemy import SecretData
class MyDBModel(Base):
name = Column(String, nullable=False)
created_at = Column(DateTime, default=datetime.datetime.now)
secret_data = Column(SecretData("hashicorpvault"))
Your secrets are now safely stored in Vault (or AWS, or anywhere else)!
TODO
- Make migration script work for non-json columns
- Document migration
- Support deleting secrets when row is deleted
- Implement prefixes/folders for secrets
- Explain how secrets are stored
- Enforce tests on PR / branch protections
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mind_castle-0.2.6.tar.gz.
File metadata
- Download URL: mind_castle-0.2.6.tar.gz
- Upload date:
- Size: 59.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8e70ede1edb34fa933347246bcd303a576e893a324561b6bc11f162bde033888
|
|
| MD5 |
78ab08e4102456110d7943bcfb2bef1a
|
|
| BLAKE2b-256 |
0986b66b5c1c865c34184bd1deb0eb5af7f892692a2ff75f6fea744d0beff6b8
|
File details
Details for the file mind_castle-0.2.6-py3-none-any.whl.
File metadata
- Download URL: mind_castle-0.2.6-py3-none-any.whl
- Upload date:
- Size: 20.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cb36560e1b2cec47d5a4ab83a0264ea59f9ff61a0e2a21b077c08b96ab812f43
|
|
| MD5 |
f6452037d9bce9fb146ea8f2cf40f36a
|
|
| BLAKE2b-256 |
d4a031ce82d7ecfb307e91a60c60832d015482374a3bc86d04831de8cbdf4dc9
|
