Skip to main content

A secure secrets management package for mobile backend applications with encryption, versioning, and audit logging

Project description

Mobile Secrets Vault 🔐

PyPI version Python Versions License: MIT CI

A robust, secure Python package for managing secrets in mobile backend applications (FastAPI, Django, Flask) with AES-GCM-256 encryption, versioning, rotation, and audit logging.

✨ Features

  • 🔒 Military-Grade Encryption: AES-GCM-256 authenticated encryption
  • 📚 Version Control: Track secret history with automatic versioning
  • 🔄 Key Rotation: Seamlessly rotate encryption keys without downtime
  • 📝 Audit Logging: Complete audit trail of all operations
  • 🖥️ CLI & Python API: Use via command line or integrate programmatically
  • 🚀 Backend Integration: Ready-to-use examples for FastAPI and Django
  • 🧪 Well-Tested: Comprehensive test suite (64 tests across crypto, vault, versioning, CLI, and audit)
  • 🐍 Modern Python: Supports Python 3.8+

🚀 Quick Start

Installation

pip install mobile-secrets-vault

CLI Usage

# Initialize a new vault
vault init

# Set secrets
vault set DATABASE_URL "postgresql://localhost/mydb"
vault set API_KEY "secret-key-12345"

# Get secrets
vault get DATABASE_URL

# List all secrets
vault list

# View version history
vault list-versions DATABASE_URL

# Rotate encryption key
vault rotate

Python API Usage

from mobile_secrets_vault import MobileSecretsVault

# Initialize vault
vault = MobileSecretsVault(
    master_key_file=".vault/master.key",
    secrets_filepath=".vault/secrets.yaml"
)

# Set a secret
version = vault.set("API_KEY", "my-secret-value")
print(f"Secret saved as version {version}")

# Get a secret
api_key = vault.get("API_KEY")
print(f"API Key: {api_key}")

# List all secrets
secrets = vault.list_keys()
print(f"Stored secrets: {secrets}")

# View version history
versions = vault.list_versions("API_KEY")
for v in versions:
    print(f"Version {v['version']}: {v['timestamp']}")

# Rotate encryption key
new_key = vault.rotate()
print("All secrets re-encrypted with new key!")

📖 Documentation

CLI Commands

Command Description Example
vault init Initialize vault and generate master key vault init --output-dir .vault
vault set <key> <value> Set or update a secret vault set DB_PASS mypassword
vault get <key> Retrieve a secret vault get DB_PASS
vault delete <key> Delete a secret vault delete OLD_KEY --yes
vault list List all secret keys vault list
vault list-versions <key> Show version history vault list-versions API_KEY
vault rotate Rotate master encryption key vault rotate --new-key-file new.key
vault audit View audit logs vault audit --key API_KEY

Python API Methods

class MobileSecretsVault:
    def __init__(
        self,
        master_key: bytes = None,
        master_key_file: str = None,
        secrets_filepath: str = None,
        audit_log_file: str = None,
        auto_save: bool = True
    )
    
    def set(self, key: str, value: str, metadata: dict = None) -> int
    def get(self, key: str, version: int = None) -> str
    def delete(self, key: str) -> bool
    def list_keys(self) -> list[str]
    def list_versions(self, key: str) -> list[dict]
    def rotate(self, new_key: bytes = None) -> bytes
    def get_audit_log(self, key: str = None, limit: int = 100) -> list[dict]
    def save(self) -> None

🏗️ Integration Examples

FastAPI Integration

from fastapi import FastAPI, Depends
from mobile_secrets_vault import MobileSecretsVault

app = FastAPI()
vault = None

@app.on_event("startup")
async def startup():
    global vault
    vault = MobileSecretsVault(
        master_key_file=".vault/master.key",
        secrets_filepath=".vault/secrets.yaml"
    )

@app.get("/config")
def get_config():
    return {
        "database_url": vault.get("DATABASE_URL"),
        "api_key": vault.get("API_KEY")
    }

See examples/fastapi_example.py for a complete implementation.

Django Integration

# settings.py
from mobile_secrets_vault import MobileSecretsVault

VAULT = MobileSecretsVault(
    master_key_file=BASE_DIR / '.vault' / 'master.key',
    secrets_filepath=BASE_DIR / '.vault' / 'secrets.yaml'
)

SECRET_KEY = VAULT.get('DJANGO_SECRET_KEY')
DATABASES = {
    'default': {
        'PASSWORD': VAULT.get('DB_PASSWORD'),
        'USER': VAULT.get('DB_USER'),
    }
}

See examples/django_example.py for a complete implementation.

🔐 Security Best Practices

Master Key Management

[!CAUTION] NEVER commit your master key to version control!

  1. Add to .gitignore:

    echo ".vault/" >> .gitignore
    
  2. Store securely in production:

    • Use environment variables
    • Use cloud secret managers (AWS Secrets Manager, Google Secret Manager)
    • Use hardware security modules (HSM) for enterprise deployments
  3. Backup your master key:

    • Store encrypted backups in multiple secure locations
    • Use password managers for team access
    • Document key recovery procedures

Encryption Details

  • Algorithm: AES-GCM-256 (Authenticated Encryption with Associated Data)
  • Key Size: 256 bits (32 bytes)
  • Nonce: Random 96-bit nonce per encryption
  • Authentication: Built-in authentication tag prevents tampering

Production Deployment

# Option 1: Environment variable
export VAULT_MASTER_KEY="<base64-encoded-key>"

# Option 2: Mounted key file (Kubernetes, Docker)
vault --master-key-file /run/secrets/vault_key get API_KEY

# Option 3: Cloud secret manager
# Retrieve master key from AWS Secrets Manager, then initialize vault

🧪 Development

Setup Development Environment

# Clone repository
git clone https://github.com/emorilebo/mobile_secrets_vault.git
cd mobile_secrets_vault

# Install in development mode
pip install -e ".[dev]"

# Run tests
pytest

# Run tests with coverage
pytest --cov=mobile_secrets_vault --cov-report=html

# Format code
black src/ tests/

# Lint code
flake8 src/ tests/

# Type check
mypy src/

Running Tests

# All tests
pytest

# Specific test file
pytest tests/test_vault.py

# With coverage report
pytest --cov=mobile_secrets_vault --cov-report=term-missing

# Verbose output
pytest -v

📦 Publishing to PyPI

Prerequisites

  1. Create PyPI Account: Sign up at pypi.org
  2. Create API Token: Settings → API tokens → Add API token
  3. Install build tools:
    pip install build twine
    

Build and Publish

# 1. Update version in pyproject.toml
# version = "0.1.0" -> "0.1.1"

# 2. Build package
python -m build

# 3. Check package
twine check dist/*

# 4. Upload to TestPyPI (optional)
twine upload --repository testpypi dist/*

# 5. Test installation
pip install --index-url https://test.pypi.org/simple/ mobile-secrets-vault

# 6. Upload to PyPI (production)
twine upload dist/*

Automated Publishing with GitHub Actions

The package includes a CI/CD workflow that automatically:

  • Runs tests on Python 3.8-3.12
  • Checks code formatting and linting
  • Publishes to PyPI on tagged releases

To trigger automated publishing:

git tag v0.1.0
git push origin v0.1.0

🤝 Contributing

Contributions are welcome! Please follow these steps:

  1. Fork the repository
  2. Create a feature branch: git checkout -b feature/amazing-feature
  3. Make your changes and add tests
  4. Run tests: pytest
  5. Format code: black src/ tests/
  6. Commit: git commit -m 'Add amazing feature'
  7. Push: git push origin feature/amazing-feature
  8. Open a Pull Request

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

👤 Author

Godfrey Lebo

🙏 Acknowledgments

📊 At a Glance

  • Dependencies: 4 (cryptography, click, PyYAML, python-dotenv)
  • Python Versions: 3.8, 3.9, 3.10, 3.11, 3.12
  • Encryption: AES-GCM-256 with random 96-bit nonces
  • License: MIT

⭐ If you find this project useful, please consider giving it a star on GitHub!

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mobile_secrets_vault-0.1.1.tar.gz (26.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mobile_secrets_vault-0.1.1-py3-none-any.whl (20.0 kB view details)

Uploaded Python 3

File details

Details for the file mobile_secrets_vault-0.1.1.tar.gz.

File metadata

  • Download URL: mobile_secrets_vault-0.1.1.tar.gz
  • Upload date:
  • Size: 26.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mobile_secrets_vault-0.1.1.tar.gz
Algorithm Hash digest
SHA256 7a10ea9f4298043007bc7e95a143ab9b092b0923da16c760bdde2e3bc870dd7c
MD5 c67d9d09f8443bf9222966cc111895ea
BLAKE2b-256 30ddac3a76f87e9cb39a033c19b4ada25d3557af63a537597142f2566dba00ea

See more details on using hashes here.

Provenance

The following attestation bundles were made for mobile_secrets_vault-0.1.1.tar.gz:

Publisher: ci.yml on emorilebo/mobile_secrets_vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file mobile_secrets_vault-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for mobile_secrets_vault-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 091e30dfed378e0d5b8dbbaf3e720cdb1d0a24486ab4bb90db7b2815d519c655
MD5 5be58a1c3a97d0dc95dc97fb9ab8f8c0
BLAKE2b-256 6ca683195a45a995c2d2966347228cb7cd9258e719cc615dff59abcbe0e03880

See more details on using hashes here.

Provenance

The following attestation bundles were made for mobile_secrets_vault-0.1.1-py3-none-any.whl:

Publisher: ci.yml on emorilebo/mobile_secrets_vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page