Simple encrypted secrets for Python
Project description
secrets-vault
Simple encrypted secrets for Python.
Inspired by Rails encrypted secrets, but for Python. It can be used as a standalone CLI tool or as a library.
The vault is JSON encoded and encrypted using symmetric encryption.
Quick start
- Install
pip install secrets-vault
. - Run
secrets init
. - Two files will be created:
master.key
andsecrets.json.enc
. - You can now edit your secrets by running
secrets edit
, or list them viasecrets get
.
Important: Keep the master.key
safe. Do NOT commit it to VCS. The secrets.json.enc
file is safe to commit.
CLI usage
You can view the help anytime by running secrets --help
:
Usage: secrets [OPTIONS] COMMAND [ARGS]...
Manage a local secrets vault.
Options:
-m, --master-key-filepath TEXT Path to the master.key file.
-s, --secrets-filepath TEXT Path to the encrypted secrets vault.
--help Show this message and exit.
Commands:
del Delete a secret.
edit Open the secrets vault in your configured $EDITOR.
envify Prints a provided secret key as one or more env variables.
get Get one or more secret values.
init Generate a new secrets vault and master.key pair.
set Store a secret.
Reading secrets
CLI commands
List all secrets:
$ secrets get
> my-user: foo
> my-password: supersecret
Get one secret:
$ secrets get my-password
> supersecret
Get multiple secrets:
$ secrets get my-user my-password
> my-user: foo
> my-password: supersecret
In Python
from secrets_vault import SecretsVault
vault = SecretsVault()
password = vault.get('my-password')
Editing secrets
CLI command
You can also set secrets from the CLI with a key and value:
$ secrets set foo bar
Interactive editor
To edit secrets, run secrets edit
, the file will be decrypted and your editor will open.
$ secrets edit
>>> Opening secrets file in editor...
{
"foo": "bar"
}
Any saved changes will be encrypted and saved to the file on disk when you close the editor.
In Python
You can also edit secrets from code:
from secrets_vault import SecretsVault
vault = SecretsVault()
vault.set('foo', 'bar')
vault.save()
Deleting secrets
CLI command
You can delete secrets from the CLI with a key:
$ secrets del foo
In Python
You can achieve the same in Python like this:
from secrets_vault import SecretsVault
vault = SecretsVault()
vault.delete('foo')
vault.save()
Printing secrets as environment variables
Sometimes you may want to print a secret as environment variables. It will also apply if you have nested objects. You can do so by running:
$ secrets edit
{
"aws-credentials": {
"AWS_ACCESS_KEY_ID": "...",
"AWS_SECRET_ACCESS_KEY": "..."
}
}
Get will print the secrets as-is:
$ secrets get aws-credentials
> {"AWS_ACCESS_KEY_ID": "...", "AWS_SECRET_ACCESS_KEY": "..."}
Envify will print the secrets ready for consumption as environment variables:
$ secrets envify aws-credentials
> AWS_ACCESS_KEY_ID=...
> AWS_SECRET_ACCESS_KEY=...
Providing the master.key file
File on disk
By default, the vault will look for the master key in a file located at ./master.key
.
Environment variable
You can also provide it via an environment variable MASTER_KEY
. For example:
MASTER_KEY=my-super-secret-master-key secrets edit
In Python
You can load the master_key from anywhere else and provide it when initializing the class:
from secrets_vault import SecretsVault
# Load from somewhere else
master_key = 'my-super-secret-master-key'
vault = SecretsVault(master_key=master_key)
Configuring the default filepaths
CLI command
You can also provide them as a CLI argument before any command:
$ secrets --master-key-filepath foo1 --secrets-filepath foo2 edit
In Python
You can also configure the filepaths at which your secrets.json.enc
and master.key
files are located.
from secrets_vault import SecretsVault
vault = SecretsVault(master_key_filepath=..., secrets_filepath=...)
Changelog
0.1.6
- Fix requirements not listed in package
0.1.5
- Add envify command
- Refactor CLI tool
- Breaking Python API changes: persist() has been renamed to save(), and init() has been renamed to create().
0.1.4
- Add del command
0.1.3
- Add set command
0.1.2
- Initial release
Security Disclosure
If you discover any issue regarding security, please disclose the information responsibly by sending an email to dyer.linseed0@icloud.com. Do NOT create a Issue on the GitHub repo.
Contributing
Please check for any existing issues before openning a new Issue. If you'd like to work on something, please open a new Issue describing what you'd like to do before submitting a Pull Request.
License
See LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for secrets_vault-0.1.6-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 19b36fd0193de2b605a58ccd69e84b50c35e14f7797dfae599f79140cd9004d9 |
|
MD5 | 9dfcec5a2d03e54a91c4c5c9acf4a01b |
|
BLAKE2b-256 | a3899e7e25e84f3854b030552ed690a67b3de96fdf41ee346e8ee898ffafa5a3 |