Lightweight encryption-at-rest for application secrets
Project description
Rest-Encrypt
Rest-Encrypt provides lightweight encryption-at-rest for application secrets on both Windows and Linux. Secrets are stored on disk encrypted and are decrypted only at runtime when your application needs them. The project ships a small Python API and a command line interface.
Features
- Secrets stored as encrypted files (
secrets.enc) using Fernet (AES-GCM + HMAC). - Data keys wrapped using platform specific mechanisms:
- Windows: DPAPI in user or machine scope.
- Linux: scrypt + AES-GCM with a local passphrase file.
- Supports JSON, TOML, INI,
.envand Pythondictformats. - Rotate secrets or the wrapping key with a single command.
Installation
pip install rest-encrypt
Quick Start
# initialise encrypted secrets from a JSON file
rest-encrypt init --secrets-path secrets.enc \
--wrapped-key-path wrapped.key \
--from-file secrets.json
# decrypt and print the stored secrets
rest-encrypt load --secrets-path secrets.enc \
--wrapped-key-path wrapped.key --print
CLI Usage
# inject secrets into the environment and run a command
rest-encrypt env-run --secrets-path secrets.enc \
--wrapped-key-path wrapped.key -- \
python my_script.py
# rotate the wrapped data key
rest-encrypt rotate-key --secrets-path secrets.enc \
--wrapped-key-path wrapped.key
Python API
from rest_encrypt import SecretStore
store = SecretStore(
secrets_path="secrets.enc",
wrapped_key_path="wrapped.key",
scope="user", # DPAPI scope on Windows, ignored on Linux
serializer="json",
passphrase_path="/etc/rest-encrypt/passphrase", # Linux only
)
# one-time initialisation
store.init_from_plain({"API_KEY": "123"})
# later, load and use the secrets
secrets = store.load()
store.inject_env(secrets, scope="process")
File Layout
Two files are created next to each other:
secrets.enc # encrypted secrets
wrapped.key # wrapped data key
The wrapped.key is bound to your operating system. On Linux it is encrypted
with a passphrase file, while on Windows DPAPI protects it.
Security Notes
See SECURITY.md for the detailed threat model. In short, the goal is to protect secrets if the encrypted files are copied elsewhere. Local admin or root access on the original machine can always recover the data.
License
This project is licensed under the Apache 2.0 License.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rest_encrypt-0.1.0.tar.gz.
File metadata
- Download URL: rest_encrypt-0.1.0.tar.gz
- Upload date:
- Size: 15.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1f6ab4f73c67cb3db1c3ffc4e70c0551e5e2f1de4dfc402120f2c45f548dd13d
|
|
| MD5 |
bbf82e8a8b278392a956d377be5da3b3
|
|
| BLAKE2b-256 |
8787912f0d7ecd8cbab8ae66c93cc8e4412be1c6e395055f5ec361517d558e47
|
File details
Details for the file rest_encrypt-0.1.0-py3-none-any.whl.
File metadata
- Download URL: rest_encrypt-0.1.0-py3-none-any.whl
- Upload date:
- Size: 17.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8df53a6ddf3726440689a4f454629733da0020ba748588cd4f32ce0af73bb17c
|
|
| MD5 |
08fdbeabcf82adfc1059e7212335649f
|
|
| BLAKE2b-256 |
9cf05039568a4440487bc52307ce73d82b65876618b2cad9bff5e544354392e1
|
