Lightweight secrets manager — encrypted vault, env injection, stdout redaction. No Docker, no server, no account.
Project description
ownlock
Lightweight secrets manager — encrypted local vault, .env injection, stdout redaction.
No Docker. No server. No account. Just pip install ownlock.
Quick start
pip install ownlock
# Create a vault (passphrase saved to system keyring)
ownlock init
# Store secrets
ownlock set anthropic-api-key
> Enter value: ****
# In your .env, use vault() instead of plain values:
# ANTHROPIC_API_KEY=vault("anthropic-api-key")
# Run commands with secrets injected and stdout redacted
ownlock run -- python app.py
.env format
Plain values pass through unchanged. Secrets stay in the vault and are resolved at runtime:
# Non-sensitive config (stored as plain text)
OLLAMA_BASE_URL=http://localhost:11434
DEFAULT_WORKER_MODEL=anthropic:claude-opus-4-6
# Secrets (resolved from vault at runtime)
ANTHROPIC_API_KEY=vault("anthropic-api-key")
OPENAI_API_KEY=vault("openai-api-key", env="production")
Commands
| Command | Description |
|---|---|
ownlock init |
Create a vault (global or --project local) |
ownlock set KEY |
Store a secret in global vault (use --project for project vault) |
ownlock set KEY=VALUE |
Store inline |
ownlock get KEY |
Print decrypted value |
ownlock list |
Show secret names (never values) |
ownlock delete KEY |
Remove a secret |
ownlock run -- CMD |
Resolve .env, inject secrets, redact stdout |
ownlock export |
Print resolved KEY=VALUE pairs |
ownlock import .env |
Bulk import from plaintext .env |
ownlock scan . |
Scan files for leaked secret values |
Add --project to any command to use the project vault (.ownlock/vault.db) instead of the global vault.
How it works
- Secrets are encrypted with AES-256-GCM and stored in a local SQLite database
- Key derivation: PBKDF2-HMAC-SHA256 with 200,000 iterations
- Vault passphrase stored in your system keyring (macOS Keychain, GNOME Keyring, etc.)
ownlock runresolvesvault()references, injects env vars into the subprocess, and redacts any secret values that appear in stdout/stderr- Zero network calls. Everything is local.
Storage
- Global vault:
~/.ownlock/vault.db— default for all commands - Project vault:
.ownlock/vault.db— use--projectflag
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ownlock-0.1.0.tar.gz.
File metadata
- Download URL: ownlock-0.1.0.tar.gz
- Upload date:
- Size: 16.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
204cf9764b0bc283d7c4d0bb8657fea97bfe67f84fae6bda7d1198ae3195a540
|
|
| MD5 |
1b38ec257feae0945ae6165898753ae2
|
|
| BLAKE2b-256 |
38a7f5ecf30b8a8c634433c6821d7a12537da06ad15f4875cb45d3cad9814d51
|
Provenance
The following attestation bundles were made for ownlock-0.1.0.tar.gz:
Publisher:
ci.yml on thebscolaro/ownlock
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ownlock-0.1.0.tar.gz -
Subject digest:
204cf9764b0bc283d7c4d0bb8657fea97bfe67f84fae6bda7d1198ae3195a540 - Sigstore transparency entry: 1078062638
- Sigstore integration time:
-
Permalink:
thebscolaro/ownlock@503ba1842a79d12977d056a1bfbccc12099ad811 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/thebscolaro
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
ci.yml@503ba1842a79d12977d056a1bfbccc12099ad811 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ownlock-0.1.0-py3-none-any.whl.
File metadata
- Download URL: ownlock-0.1.0-py3-none-any.whl
- Upload date:
- Size: 13.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
863f27138484a1cc032d110a8615f586db062ce22aa39b996016b2354f40efa8
|
|
| MD5 |
6e4c9c29205adf46b3fc3f655f7d6e96
|
|
| BLAKE2b-256 |
9f2f7cd60103dba86ba2e99f2e82ca37fb927811d21e0abaa38521a47158fa1c
|
Provenance
The following attestation bundles were made for ownlock-0.1.0-py3-none-any.whl:
Publisher:
ci.yml on thebscolaro/ownlock
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ownlock-0.1.0-py3-none-any.whl -
Subject digest:
863f27138484a1cc032d110a8615f586db062ce22aa39b996016b2354f40efa8 - Sigstore transparency entry: 1078062661
- Sigstore integration time:
-
Permalink:
thebscolaro/ownlock@503ba1842a79d12977d056a1bfbccc12099ad811 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/thebscolaro
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
ci.yml@503ba1842a79d12977d056a1bfbccc12099ad811 -
Trigger Event:
push
-
Statement type: