Skip to main content
This is a pre-production deployment of Warehouse. Changes made here affect the production instance of PyPI (pypi.python.org).
Help us improve Python packaging - Donate today!

Encrypt project secrets

Project Description

Utility for keeping your secrets encrypted. Also has a Go version.

For example, you have the following configuration file

MY_SECRET=VerySecretValue!

but you can’t include that file in VCS because then your secret value would be exposed.

With secretcrypt, you can encrypt your secret using your AWS KMS master key aliased MyKey:

$ encrypt-secret kms alias/MyKey
Enter plaintext: VerySecretValue! # enter
kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE... # shortened for brevity

# --- or --
$ echo "VerySecretValue!" | encrypt-secret kms alias/MyKey
kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE... # shortened for brevity
# only use piping when scripting, otherwise your secrets will be stored
# in your shell's history!

use that secret in my config file

from secretcrypt import Secret
MY_SECRET=Secret('kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE...')  # shortened for brevity

and get the plaintext like

print MY_SECRET.get()
# VerySecretValue!

If you are using very sensitive secrets, you can ensure the plaintext is not kept in memory and is only encrypted on demand by using a stricter version:

from secretcrypt import StrictSecret
MY_SECRET=StrictSecret('kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE...')  # shortened for brevity

and get the plaintext like

print MY_SECRET.decrypt()
# VerySecretValue!

KMS

The KMS option uses AWS Key Management Service. When encrypting and decrypting KMS secrets, you need to provide which AWS region the is to be or was encrypted on, but it defaults to us-east-1.

So if you use a custom region, you must provide it to secretcrypt:

encrypt-secret kms --region us-west-1 alias/MyKey

Local encryption

This mode is meant for local and/or offline development usage. It generates a local key in your %USER_DATA_DIR% (see appdirs), so that the key cannot be accidentally committed to CVS.

It then uses that key to symmetrically encrypt and decrypt your secrets.

Password encryption - interactive only

The password encryption mode should not be used in your application - it is meant for easily sharing secrets among developers. It interactively prompts the user for a password when encrypting the secret. When decrypting, it prompts for the password again.

History

1.0.3 (2017-11-02)

  • reverted scrypt parameter changes

1.0.2 (2017-10-31)

  • changed scrypt parameters

1.0.1 (2017-10-31)

  • Fixed readme formatting.

1.0.0 (2017-10-31)

  • added password encryption/decryption

0.9.1 (2017-03-28)

  • Python3 local module fixed issue with utf-8
  • unpinned dependencies

0.4 (2016-03-02)

  • plaintexts are now returned as strings not as bytes

0.3 (2016-03-02)

  • BREAKING CHANGE: introduced new semantics for Secret and a new StrictSecret
Release History

Release History

This version
History Node

1.0.3

History Node

1.0.2

History Node

1.0.1

History Node

1.0.1.dev0

History Node

1.0.0

History Node

0.9.1

History Node

0.4.3

History Node

0.4.2

History Node

0.4.1

History Node

0.4

History Node

0.3.1

History Node

0.3

History Node

0.2

Download Files

Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
secretcrypt-1.0.3.tar.gz (10.4 kB) Copy SHA256 Checksum SHA256 Source Nov 2, 2017

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting