Skip to main content

Simple encrypted secrets for Python

Project description

secrets-vault

Simple encrypted secrets for Python.

Inspired by Rails encrypted secrets, but for Python. It can be used as a standalone CLI tool or as a library.

The vault is JSON encoded and encrypted using symmetric encryption.

Quick start

  1. Install pip install secrets-vault.
  2. Run secrets init.
  3. Two files will be created: master.key and secrets.json.enc.
  4. You can now edit your secrets by running secrets edit, or list them via secrets get.

Important: Keep the master.key safe. Do NOT commit it to VCS. The secrets.json.enc file is safe to commit.

CLI usage

You can view the help anytime by running secrets --help:

Usage: secrets [OPTIONS] COMMAND [ARGS]...

  Manage a local secrets vault.

Options:
  -m, --master-key-filepath TEXT  Path to the master.key file.
  -s, --secrets-filepath TEXT     Path to the encrypted secrets vault.
  --help                          Show this message and exit.

Commands:
  del     Delete a secret.
  edit    Open the secrets vault in your configured $EDITOR.
  envify  Prints a provided secret key as one or more env variables.
  get     Get one or more secret values.
  init    Generate a new secrets vault and master.key pair.
  set     Store a secret.

Reading secrets

CLI commands

List all secrets:

$ secrets get
> my-user: foo
> my-password: supersecret

Get one secret:

$ secrets get my-password
> supersecret

Get multiple secrets:

$ secrets get my-user my-password
> my-user: foo
> my-password: supersecret

In Python

from secrets_vault import SecretsVault

vault = SecretsVault()

password = vault.get('my-password')

Editing secrets

CLI command

You can also set secrets from the CLI with a key and value:

$ secrets set foo bar

Interactive editor

To edit secrets, run secrets edit, the file will be decrypted and your editor will open.

$ secrets edit

>>> Opening secrets file in editor...
{
  "foo": "bar"
}

Any saved changes will be encrypted and saved to the file on disk when you close the editor.

In Python

You can also edit secrets from code:

from secrets_vault import SecretsVault

vault = SecretsVault()
vault.set('foo', 'bar')
vault.save()

Deleting secrets

CLI command

You can delete secrets from the CLI with a key:

$ secrets del foo

In Python

You can achieve the same in Python like this:

from secrets_vault import SecretsVault

vault = SecretsVault()
vault.delete('foo')
vault.save()

Printing secrets as environment variables

Sometimes you may want to print a secret as environment variables. It will also apply if you have nested objects. You can do so by running:

$ secrets edit

{
  "aws-credentials": {
    "AWS_ACCESS_KEY_ID": "...",
    "AWS_SECRET_ACCESS_KEY": "..."
  }
}

Get will print the secrets as-is:

$ secrets get aws-credentials
> {"AWS_ACCESS_KEY_ID": "...", "AWS_SECRET_ACCESS_KEY": "..."}

Envify will print the secrets ready for consumption as environment variables:

$ secrets envify aws-credentials
> AWS_ACCESS_KEY_ID=...
> AWS_SECRET_ACCESS_KEY=...

Providing the master.key file

File on disk

By default, the vault will look for the master key in a file located at ./master.key.

Environment variable

You can also provide it via an environment variable MASTER_KEY. For example:

MASTER_KEY=my-super-secret-master-key secrets edit

In Python

You can load the master_key from anywhere else and provide it when initializing the class:

from secrets_vault import SecretsVault

# Load from somewhere else
master_key = 'my-super-secret-master-key'

vault = SecretsVault(master_key=master_key)

Configuring the default filepaths

CLI command

You can also provide them as a CLI arguments:

$ secrets init --master-key-filepath ./prod/master.key --secrets-filepath ./prod/secrets.json.enc

In Python

You can also configure the filepaths at which your secrets.json.enc and master.key files are located.

from secrets_vault import SecretsVault

vault = SecretsVault(master_key_filepath=..., secrets_filepath=...)

Changelog

See CHANGELOG for the list of releases and relevant changes.

Security Disclosure

If you discover any issue regarding security, please disclose the information responsibly by sending an email to dyer.linseed0@icloud.com. Do NOT create a Issue on the GitHub repo.

Contributing

Please check for any existing issues before openning a new Issue. If you'd like to work on something, please open a new Issue describing what you'd like to do before submitting a Pull Request.

License

See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secrets-vault-0.1.7.tar.gz (7.7 kB view details)

Uploaded Source

Built Distribution

secrets_vault-0.1.7-py3-none-any.whl (8.2 kB view details)

Uploaded Python 3

File details

Details for the file secrets-vault-0.1.7.tar.gz.

File metadata

  • Download URL: secrets-vault-0.1.7.tar.gz
  • Upload date:
  • Size: 7.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.9.17

File hashes

Hashes for secrets-vault-0.1.7.tar.gz
Algorithm Hash digest
SHA256 436ba8c48f39823f5f57bd3d128b50de2174cf2e633b88aef033c8a6206c94dc
MD5 f4181782ac788677123b7bb263bda5aa
BLAKE2b-256 fb7c8fa7a1097c25a8435a704028779ec9d069d9c621f31e139d60c442e5cbbf

See more details on using hashes here.

File details

Details for the file secrets_vault-0.1.7-py3-none-any.whl.

File metadata

File hashes

Hashes for secrets_vault-0.1.7-py3-none-any.whl
Algorithm Hash digest
SHA256 3fe1d7c57937f508c4736f635d8a68b263fbf5ee587733d94e0270321883626e
MD5 3404f6c56f000ec6d9072b5b6f3d22ec
BLAKE2b-256 093c0ae9e47076ef0d800059d214d52e1ed51f04af9c9d3577f56c5a2c7ec34d

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page