A Rune-style secret type for sensitive values in Python.
Project description
secret
A Rune-style type for sensitive values in Python
secret-type provides a convenient type (secret) to indicate that a value is considered sensitive, similar to the secret type in Google's Rune Lang.
Installation
pip install secret-type
Usage
>>> from secret_type import secret
>>> password = secret("a very secret value") # Secrets can be any primitive value
>>> print(password) # Runtime exceptions prevent logging
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "secret_type/containers/secret.py", line 91, in __str__
raise SecretException()
secret_type.exceptions.SecretException: Secrets cannot be examined
>>> better_password = password + "!" # Operations derive new secrets
>>> >>> type(better_password)
<class 'secret_type.sequence.SecretStr'>
>>> better_password.dangerous_apply(print)
a very secret value!
Features
- When marked as secret, values cannot be printed or logged; attempting to do so will raise an exception.
- Secrets are "viral"; any operation on a secret will also return a secret.
- Comparison operations with a
secretare guaranteed to be constant-time.This helps avoid timing attacks. - A
boolderived from a secret cannot be used for control flow. - Secrets cannot be used as indexes or keys for containers.
- Internally, the underlying value is stored encrypted in memory, and is only decrypted when deriving a new value.
- As soon as secrets are out of scope, the Garbage Collector is encouraged to immediately collect them.
Docs
For complete docs, see the Quickstart.
Comparison to Rune
Rune makes the following guarantees about a secret:
- All operations on secrets occur in constant time, minimizing timing side-channel leakage.
- Secrets cannot be used in conditional branches or memory addressing.
- Even speculative branching and indexing on secrets are caught at compile-time to avoid Specter/Meltdown.
- Secrecy is sticky: any value in part derived from a secret is considered secret until "revealed".
- Secrets are automatically zeroed when no longer used
This projects attempts to do something similar, but with the runtime constraints of Python.
License
secret-type is distributed under the terms of the MIT license.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secret_type-0.3.0.tar.gz.
File metadata
- Download URL: secret_type-0.3.0.tar.gz
- Upload date:
- Size: 15.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: python-httpx/0.23.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1cda5a9d6b47eb963a9a70431165759cbb90d4260b13a0649d6fdffc74c2f7ff
|
|
| MD5 |
ea19037eaf38f98ea62ba6eebf877ffe
|
|
| BLAKE2b-256 |
10f3460f413c1a711282ea751490126cfee13bd1be3ab482557365c85370ada4
|
File details
Details for the file secret_type-0.3.0-py3-none-any.whl.
File metadata
- Download URL: secret_type-0.3.0-py3-none-any.whl
- Upload date:
- Size: 14.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: python-httpx/0.23.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
44aa14b99fd274b7f58d3a3ea7ec42f96833f2e190464e85c2c903805b4f471c
|
|
| MD5 |
6d16b02d0ccd01b43f5ab33fb2c1cb52
|
|
| BLAKE2b-256 |
15b5e9c55a2ec41644bbc1b386e535a7c2dc56fd82015df68f2d1e9c76601419
|
