Skip to main content

Lightweight secrets manager — encrypted vault, env injection, stdout redaction. No Docker, no server, no account.

Project description

ownlock

Lightweight secrets manager — encrypted local vault, .env injection, stdout redaction.

No Docker. No server. No account. Just pip install ownlock.

Quick start

pip install ownlock

# Create a vault (passphrase saved to system keyring)
ownlock init

# Store secrets
ownlock set anthropic-api-key
> Enter value: ****

# In your .env, use vault() instead of plain values:
# ANTHROPIC_API_KEY=vault("anthropic-api-key")

# Run commands with secrets injected and stdout redacted
ownlock run -- python app.py

.env format

Plain values pass through unchanged. Secrets stay in the vault and are resolved at runtime:

# Non-sensitive config (stored as plain text)
OLLAMA_BASE_URL=http://localhost:11434
DEFAULT_WORKER_MODEL=anthropic:claude-opus-4-6

# Secrets (resolved from vault at runtime)
ANTHROPIC_API_KEY=vault("anthropic-api-key")
OPENAI_API_KEY=vault("openai-api-key", env="production")

Commands

Command Description
ownlock init Create a vault (global or --project local)
ownlock set KEY Store a secret in global vault (use --project for project vault)
ownlock set KEY=VALUE Store inline
ownlock get KEY Print decrypted value
ownlock list Show secret names (never values)
ownlock delete KEY Remove a secret
ownlock run -- CMD Resolve .env, inject secrets, redact stdout
ownlock export Print resolved KEY=VALUE pairs
ownlock import .env Bulk import from plaintext .env
ownlock scan . Scan files for leaked secret values

Add --project to any command to use the project vault (.ownlock/vault.db) instead of the global vault.

How it works

  • Secrets are encrypted with AES-256-GCM and stored in a local SQLite database
  • Key derivation: PBKDF2-HMAC-SHA256 with 200,000 iterations
  • Vault passphrase stored in your system keyring (macOS Keychain, GNOME Keyring, etc.)
  • ownlock run resolves vault() references, injects env vars into the subprocess, and redacts any secret values that appear in stdout/stderr
  • Zero network calls. Everything is local.

Storage

  • Global vault: ~/.ownlock/vault.db — default for all commands
  • Project vault: .ownlock/vault.db — use --project flag

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ownlock-0.1.0.tar.gz (16.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ownlock-0.1.0-py3-none-any.whl (13.1 kB view details)

Uploaded Python 3

File details

Details for the file ownlock-0.1.0.tar.gz.

File metadata

  • Download URL: ownlock-0.1.0.tar.gz
  • Upload date:
  • Size: 16.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ownlock-0.1.0.tar.gz
Algorithm Hash digest
SHA256 204cf9764b0bc283d7c4d0bb8657fea97bfe67f84fae6bda7d1198ae3195a540
MD5 1b38ec257feae0945ae6165898753ae2
BLAKE2b-256 38a7f5ecf30b8a8c634433c6821d7a12537da06ad15f4875cb45d3cad9814d51

See more details on using hashes here.

Provenance

The following attestation bundles were made for ownlock-0.1.0.tar.gz:

Publisher: ci.yml on thebscolaro/ownlock

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ownlock-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: ownlock-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 13.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ownlock-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 863f27138484a1cc032d110a8615f586db062ce22aa39b996016b2354f40efa8
MD5 6e4c9c29205adf46b3fc3f655f7d6e96
BLAKE2b-256 9f2f7cd60103dba86ba2e99f2e82ca37fb927811d21e0abaa38521a47158fa1c

See more details on using hashes here.

Provenance

The following attestation bundles were made for ownlock-0.1.0-py3-none-any.whl:

Publisher: ci.yml on thebscolaro/ownlock

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page