Skip to main content

Decrypt .env.vault file.

Project description

python-dotenv-vault PyPI version

dotenv-vault

Extends the proven & trusted foundation of python-dotenv, with a .env.vault file.

The extended standard lets you load encrypted secrets from your .env.vault file in production (and other) environments. Brought to you by the same people that pioneered dotenv-nodejs.

🌱 Install

pip install python-dotenv-vault

🏗️ Usage

Development usage works just like python-dotenv.

Add your application configuration to your .env file in the root of your project:

S3_BUCKET=YOURS3BUCKET
SECRET_KEY=YOURSECRETKEYGOESHERE

As early as possible in your application bootstrap process, load .env:

import os
from dotenv_vault import load_dotenv

load_dotenv()  # take environment variables from .env.

# Code of your application, which uses environment variables (e.g. from `os.environ` or
# `os.getenv`) as if they came from the actual environment.

When your application loads, these variables will be available in os.environ or os.getenv:

import os
s3_bucket = os.getenv("S3_BUCKET")
print(s3_bucket)

🚀 Deploying

Encrypt your environment variables by doing:

npx dotenv-vault local build

This will create an encrypted .env.vault file along with a .env.keys file containing the encryption keys. Set the DOTENV_KEY environment variable by copying and pasting the key value from the .env.keys file onto your server or cloud provider. For example in heroku:

heroku config:set DOTENV_KEY=<key string from .env.keys>

Commit your .env.vault file safely to code and deploy. Your .env.vault fill be decrypted on boot, its environment variables injected, and your app work as expected.

Note that when the DOTENV_KEY environment variable is set, environment settings will always be loaded from the .env.vault file in the project root. For development use, you can leave the DOTENV_KEY environment variable unset and fall back on the dotenv behaviour of loading from .env or a specified set of files (see here in the dotenv README for the details).

🌴 Manage Multiple Environments

You have two options for managing multiple environments - locally managed or vault managed - both use dotenv-vault.

Locally managed never makes a remote API call. It is completely managed on your machine. Vault managed adds conveniences like backing up your .env file, secure sharing across your team, access permissions, and version history. Choose what works best for you.

💻 Locally Managed

Create a .env.production file in the root of your project and put your production values there.

# .env.production
S3_BUCKET="PRODUCTION_S3BUCKET"
SECRET_KEY="PRODUCTION_SECRETKEYGOESHERE"

Rebuild your .env.vault file.

npx dotenv-vault local build

View your .env.keys file. There is a production DOTENV_KEY that pairs with the DOTENV_VAULT_PRODUCTION cipher in your .env.vault file.

Set the production DOTENV_KEY on your server, recommit your .env.vault file to code, and deploy. That's it!

Your .env.vault fill be decrypted on boot, its production environment variables injected, and your app work as expected.

🔐 Vault Managed

Sync your .env file. Run the push command and follow the instructions. learn more

$ npx dotenv-vault push

Manage multiple environments with the included UI. learn more

$ npx dotenv-vault open

Build your .env.vault file with multiple environments.

$ npx dotenv-vault build

Access your DOTENV_KEY.

$ npx dotenv-vault keys

Set the production DOTENV_KEY on your server, recommit your .env.vault file to code, and deploy. That's it!

❓ FAQ

What happens if DOTENV_KEY is not set?

Dotenv Vault gracefully falls back to python-dotenv when DOTENV_KEY is not set. This is the default for development so that you can focus on editing your .env file and save the build command until you are ready to deploy those environment variables changes.

Should I commit my .env file?

No. We strongly recommend against committing your .env file to version control. It should only include environment-specific values such as database passwords or API keys. Your production database should have a different password than your development database.

Should I commit my .env.vault file?

Yes. It is safe and recommended to do so. It contains your encrypted envs, and your vault identifier.

Can I share the DOTENV_KEY?

No. It is the key that unlocks your encrypted environment variables. Be very careful who you share this key with. Do not let it leak.

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

Changelog

See CHANGELOG.md

License

MIT

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

Unreleased

0.7.0

Changed

  • Update dependencies python-dotenv and cryptography
  • Remove support for Python 3.7

## 0.6.4

### Changed

0.6.3

Changed

  • Fixed a bug where it was looking up .env instead of .env.vault #18

0.6.2

Changed

  • Look for .env.vault file at same location as .env file. Finds .env file anywhere in app (just like original python lib) #13

0.6.1

Changed

  • Fix fallback issue with gunicorn not respecting the current working directory when attempting to call find_dotenv. #17

0.6.0

Changed

  • Fix environment variable load #12

0.5.1

Changed

  • Fix error reference #10

0.5.0

Added

  • Reorganise and simplify code
  • Make API correspond more closely to python-dotenv
  • Improve error handling
  • Add tests and CI
  • Upgrade to build for release build

0.4.1

Added

  • expand cryptography library version range for better support

0.4.0

Added

  • Added feature to allow custom .env.vault path

0.3.0

Added

  • Added backward compatibility python version 3.7+

0.2.0

Added

  • Added comma separated capability to DOTENV_KEY. Add multiple keys to your DOTENV_KEY for use with decryption. Separate with a comma.

0.1.1

Added

  • Added support for handling any environment

0.1.0

Added

  • Added README and CHANGELOG

0.0.9

Added

  • Decrypting .env.vault file when DOTENV_KEY is set.

0.0.8 and prior

Please see commit history.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

python_dotenv_vault-0.7.0.tar.gz (12.4 kB view details)

Uploaded Source

Built Distribution

python_dotenv_vault-0.7.0-py3-none-any.whl (10.0 kB view details)

Uploaded Python 3

File details

Details for the file python_dotenv_vault-0.7.0.tar.gz.

File metadata

  • Download URL: python_dotenv_vault-0.7.0.tar.gz
  • Upload date:
  • Size: 12.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.5

File hashes

Hashes for python_dotenv_vault-0.7.0.tar.gz
Algorithm Hash digest
SHA256 8b3e8f6e8d53e07fd38fca1584283eabea9cbf78defd57e8e6bd5cac494b7ca9
MD5 0b8ef6eb00fa009fb4d56b1cc5a0c337
BLAKE2b-256 09cb7479d2c29c9edb8b6b8686d78b011ea051df71aea156a19a3b788bf7fb6c

See more details on using hashes here.

File details

Details for the file python_dotenv_vault-0.7.0-py3-none-any.whl.

File metadata

File hashes

Hashes for python_dotenv_vault-0.7.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f2f3e1fbbfd6cc4c3210cad52634bdd70322b7e3b5d253f4eab9f4276c605af4
MD5 b2a2329cbed4459ed8b838e444ebc1f6
BLAKE2b-256 9803854fa84e46c2c0023c064e70b20223cd319afa5959a1ff9b19baa848ad88

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page