A minimal AES-256-GCM-based secrets manager for Python
Project description
🔐 MiniSecret
MiniSecret is a minimal, secure secrets manager for Python projects and automation agents.
It uses AES-256-GCM encryption and an environment-based master key to keep your secrets safe, simple, and offline.
📦 Features
- 🔒 AES-256-GCM authenticated encryption
- 🔐 Environment-based master key (
MINISECRET_KEY) - 🧊 Local encrypted file store (
secrets.enc.json) - ⚙️ Simple Python class + optional CLI tool
- 🧽 Secure memory auto-wipe for sensitive values
- 🚫 No cloud dependencies or runtime daemons
🧪 Summary Comparison
| Feature | MiniSecret | python-keyring | python-decouple | hvac / AWS / GCP |
|---|---|---|---|---|
| 🔐 Encryption | ✅ AES-256-GCM | ✅ OS-backed | ❌ None | ✅ Enterprise |
| 📁 File-based | ✅ | ❌ | ✅ | ❌ |
| 💻 Works offline | ✅ | ✅ | ✅ | ⚠️ Limited |
| 🧠 Simple to use | ✅ | ✅ | ✅ | ❌ |
| 🛡️ Secrets in memory only | ✅ Optional | ❌ | ❌ | ✅ |
⚙️ Installation
Install directly from PyPI:
pip install minisecret
🔑 Setup: Master Key
✅ Step 1: Generate a Strong Key
python -c "import os, base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())"
✅ Step 2: Set the MINISECRET_KEY Environment Variable
🔹 Linux/macOS (temporary)
export MINISECRET_KEY="your-generated-key"
To persist: add to ~/.bashrc, ~/.zshrc, or .profile.
🔹 Windows PowerShell (temporary)
$env:MINISECRET_KEY = "your-generated-key"
🔹 Windows GUI (persistent)
- Search for "Environment Variables"
- Add a new User variable
- Name:
MINISECRET_KEY - Value: your-generated-key
- Name:
🧪 Example: Store and Use Secrets
You want to store the following secret:
MySecretPassword
✅ CLI: Store the Secret
minisecret put my_password MySecretPassword
✅ CLI: Retrieve the Secret
minisecret get my_password
Secure retrieval (auto-wiped from memory):
minisecret get my_password --secure
List all stored keys:
minisecret list
✅ Python: Use the Stored Secret
from minisecret import MiniSecret
import pyautogui
import time
secrets = MiniSecret()
# Secure version (wiped from memory immediately)
password = secrets.secure_get("my_password")
# Type the password into a GUI window
time.sleep(2)
pyautogui.write(password, interval=0.1)
🔐 Security Notes
- Secrets are encrypted with AES-256-GCM and stored in
secrets.enc.json - Secrets are decrypted only in memory when accessed
- Use
secure_get()or--secureto clear secrets from memory after use - Do not commit
secrets.enc.jsonor yourMINISECRET_KEYto version control
✅ CLI Summary
minisecret put <key> <value>
minisecret get <key> [--secure]
minisecret list
📚 License
💡 Ideas for the Future
- ⏳ Auto-expiring secrets
- 📦 Project-based secret stores
- 🔐 Password-prompt fallback for the master key
- 🧽 Clipboard auto-clear support
Developed with ❤️ by @Cognet-74
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file minisecret-0.1.4.tar.gz.
File metadata
- Download URL: minisecret-0.1.4.tar.gz
- Upload date:
- Size: 4.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c5b80ff408fbbe5b622dff3b0fb285c106dd30f88349459784bd03680e55ea81
|
|
| MD5 |
a17ecc8d72dbc3285bf6ce44eb44abf1
|
|
| BLAKE2b-256 |
417d74b24fc23aeb2d134e51db8e28572374ffc5bd6dcb863e9a93f9278ca1e8
|
Provenance
The following attestation bundles were made for minisecret-0.1.4.tar.gz:
Publisher:
publish.yml on Cognet-74/MiniSecret
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
minisecret-0.1.4.tar.gz -
Subject digest:
c5b80ff408fbbe5b622dff3b0fb285c106dd30f88349459784bd03680e55ea81 - Sigstore transparency entry: 194296159
- Sigstore integration time:
-
Permalink:
Cognet-74/MiniSecret@51ad6c4ce8f89a256666c97eab42c330f84ffd68 -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/Cognet-74
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@51ad6c4ce8f89a256666c97eab42c330f84ffd68 -
Trigger Event:
push
-
Statement type:
File details
Details for the file minisecret-0.1.4-py3-none-any.whl.
File metadata
- Download URL: minisecret-0.1.4-py3-none-any.whl
- Upload date:
- Size: 6.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
41798e8a7e0f6c04b408c3a6d30466993d738cfcafbfb40b8db07a894a76a16e
|
|
| MD5 |
04f8ce38146da4929f9c4573960b9be8
|
|
| BLAKE2b-256 |
5ab15ecdf7a21d477e298251a37372d22d84ba790df695c8e17574290f8a94d4
|
Provenance
The following attestation bundles were made for minisecret-0.1.4-py3-none-any.whl:
Publisher:
publish.yml on Cognet-74/MiniSecret
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
minisecret-0.1.4-py3-none-any.whl -
Subject digest:
41798e8a7e0f6c04b408c3a6d30466993d738cfcafbfb40b8db07a894a76a16e - Sigstore transparency entry: 194296162
- Sigstore integration time:
-
Permalink:
Cognet-74/MiniSecret@51ad6c4ce8f89a256666c97eab42c330f84ffd68 -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/Cognet-74
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@51ad6c4ce8f89a256666c97eab42c330f84ffd68 -
Trigger Event:
push
-
Statement type: