A minimal AES-256-GCM-based secrets manager for Python
Project description
🔐 MiniSecret
MiniSecret is a minimal, secure secrets manager for Python projects and automation agents.
It uses AES-256-GCM encryption and an environment-based master key to keep your secrets safe, simple, and offline.
📦 Features
- 🔒 AES-256-GCM authenticated encryption
- 🔐 Environment-based master key (
MINISECRET_KEY) - 🧊 Local encrypted file store (
secrets.enc.json) - ⚙️ Simple Python class + optional CLI tool
- 🧽 Secure memory auto-wipe for sensitive values
🧪 Summary Comparison
| Feature | MiniSecret | python-keyring | python-decouple | hvac / AWS / GCP |
|---|---|---|---|---|
| 🔐 Encryption | ✅ AES-256-GCM | ✅ OS-backed | ❌ None | ✅ Enterprise |
| 📁 File-based | ✅ | ❌ | ✅ | ❌ |
| 💻 Works offline | ✅ | ✅ | ✅ | ⚠️ Limited |
| 🧠 Simple to use | ✅ | ✅ | ✅ | ❌ |
| 🛡️ Secrets in memory only | ✅ Optional | ❌ | ❌ | ✅ |
📁 Project Structure
project/
├── minisecret.py # Secrets manager
├── secrets.enc.json # Encrypted secrets file (auto-generated)
└── your_script.py # Your automation or GUI agent
⚙️ Installation
pip install cryptography
🔑 Setup: Master Key
✅ Step 1: Generate a Strong Key
python -c "import os, base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())"
Copy the output string.
✅ Step 2: Set the MINISECRET_KEY Environment Variable
🔹 Linux/macOS (temporary)
export MINISECRET_KEY="your-generated-key"
To persist: add to ~/.bashrc or ~/.zshrc.
🔹 Windows PowerShell (temporary)
$env:MINISECRET_KEY = "your-generated-key"
🔹 Windows GUI (persistent)
- Search for "Environment Variables"
- Add a new User variable
- Name:
MINISECRET_KEY - Value: your-generated-key
- Name:
🧪 Example: Store and Use Secrets
You want to store this secret:
MySecretPassword
✅ CLI: Store the Secret
python minisecret.py put my_password MySecretPassword
✅ CLI: Retrieve the Secret
python minisecret.py get my_password
Secure retrieval (auto-wipe from memory):
python minisecret.py get my_password --secure
List all stored keys:
python minisecret.py list
✅ Python: Use the Stored Secret
from minisecret import MiniSecret
import pyautogui
import time
secrets = MiniSecret()
# Secure version (wiped from memory immediately)
password = secrets.secure_get("my_password")
# Wait and type it into a GUI field
time.sleep(2)
pyautogui.write(password, interval=0.1)
🔐 Security Notes
- Secrets are encrypted with AES-256-GCM and stored in
secrets.enc.json - Secrets are decrypted only in memory when accessed
- Use
secure_get()or--secureto clear secrets from memory after use - Keep your
MINISECRET_KEYsafe and never commit it to source control
✅ CLI Summary
python minisecret.py put <key> <value>
python minisecret.py get <key> [--secure]
python minisecret.py list
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file minisecret-0.1.0.tar.gz.
File metadata
- Download URL: minisecret-0.1.0.tar.gz
- Upload date:
- Size: 4.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5977865cf0f93bba1f14f2eb1aaa0f4493ff4517ce395624b82d9aa33000c20b
|
|
| MD5 |
af1dab409a2494c73d01435cad1406b3
|
|
| BLAKE2b-256 |
ae88892b0762350902081494f20ddf1d54f242ef49ef8707f315094fd4f8fd9e
|
Provenance
The following attestation bundles were made for minisecret-0.1.0.tar.gz:
Publisher:
publish.yml on Cognet-74/MiniSecret
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
minisecret-0.1.0.tar.gz -
Subject digest:
5977865cf0f93bba1f14f2eb1aaa0f4493ff4517ce395624b82d9aa33000c20b - Sigstore transparency entry: 194060849
- Sigstore integration time:
-
Permalink:
Cognet-74/MiniSecret@c1039f94631c52d03ee16d824dd90ac45bc76c41 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/Cognet-74
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@c1039f94631c52d03ee16d824dd90ac45bc76c41 -
Trigger Event:
push
-
Statement type:
File details
Details for the file minisecret-0.1.0-py3-none-any.whl.
File metadata
- Download URL: minisecret-0.1.0-py3-none-any.whl
- Upload date:
- Size: 5.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
20cb1184536768047e53520e8c0a5203596a84dcbed48314eb66a1f3eaeb28ab
|
|
| MD5 |
df02dc15357575cccec5a3c1962fec3f
|
|
| BLAKE2b-256 |
a4b4f1cb6794c62c3cbde6fac6ba1359d9e3397c839d06991482fa53a93c6b9a
|
Provenance
The following attestation bundles were made for minisecret-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on Cognet-74/MiniSecret
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
minisecret-0.1.0-py3-none-any.whl -
Subject digest:
20cb1184536768047e53520e8c0a5203596a84dcbed48314eb66a1f3eaeb28ab - Sigstore transparency entry: 194060850
- Sigstore integration time:
-
Permalink:
Cognet-74/MiniSecret@c1039f94631c52d03ee16d824dd90ac45bc76c41 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/Cognet-74
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@c1039f94631c52d03ee16d824dd90ac45bc76c41 -
Trigger Event:
push
-
Statement type: