Encrypt project secrets

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for nsaje from gravatar.com nsaje

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (UNKNOWN)
  • Author: Nejc Saje, Zemanta
  • Tags secret, encrypt, decrypt, settings
Classifiers
Report project as malware

Project description

Circle CI

WARNING: this software is in alpha state, use with caution.

Utility for keeping your secrets encrypted. Also has a Go version.

For example, you have the following configuration file

MY_SECRET=VerySecretValue!

but you can’t include that file in VCS because then your secret value would be exposed.

With secretcrypt, you can encrypt your secret using your AWS KMS master key aliased MyKey:

$ encrypt-secret kms alias/MyKey
Enter plaintext: VerySecretValue! # enter
kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE... # shortened for brevity

# --- or --
$ echo "VerySecretValue!" | encrypt-secret kms alias/MyKey
kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE... # shortened for brevity
# only use piping when scripting, otherwise your secrets will be stored
# in your shell's history!

use that secret in my config file

from secretcrypt import Secret
MY_SECRET=Secret('kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE...')  # shortened for brevity

and get the plaintext like

print MY_SECRET.get()
# VerySecretValue!

If you are using very sensitive secrets, you can ensure the plaintext is not kept in memory and is only encrypted on demand by using a stricter version:

from secretcrypt import StrictSecret
MY_SECRET=StrictSecret('kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE...')  # shortened for brevity

and get the plaintext like

print MY_SECRET.decrypt()
# VerySecretValue!

KMS

The KMS option uses AWS Key Management Service. When encrypting and decrypting KMS secrets, you need to provide which AWS region the is to be or was encrypted on, but it defaults to us-east-1.

So if you use a custom region, you must provide it to secretcrypt:

encrypt-secret kms --region us-west-1 alias/MyKey

Local encryption

This mode is meant for local and/or offline development usage. It generates a local key in your %USER_DATA_DIR% (see appdirs), so that the key cannot be accidentally committed to CVS.

It then uses that key to symmetrically encrypt and decrypt your secrets.

History

0.4 (2016-03-02)

  • plaintexts are now returned as strings not as bytes

0.3 (2016-03-02)

  • BREAKING CHANGE: introduced new semantics for Secret and a new StrictSecret

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for nsaje from gravatar.com nsaje

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (UNKNOWN)
  • Author: Nejc Saje, Zemanta
  • Tags secret, encrypt, decrypt, settings
Classifiers

Release history Release notifications | RSS feed

1.0.4

1.0.3

1.0.2

1.0.1

1.0.1.dev0 pre-release

1.0.0

0.9.1

0.4.3

0.4.2

This version

0.4.1

0.4

0.3.1

0.3

0.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secretcrypt-0.4.1.tar.gz (11.1 kB view details)

Uploaded Source

File details

Details for the file secretcrypt-0.4.1.tar.gz.

File metadata

  • Download URL: secretcrypt-0.4.1.tar.gz
  • Upload date:
  • Size: 11.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for secretcrypt-0.4.1.tar.gz
Algorithm Hash digest
SHA256 51be81825f5478c06f6e04411d17f78ff5f13f26ba9e42c117e39ccd6839a1bb
MD5 7896d6dbba2402abfcd4226e415c7401
BLAKE2b-256 1d99cce6b9454ec81047bf1a59f0e9a25bc238d4ac25ce6bfb0be1af03c29979

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page