Simple encrypted secrets for Python
Project description
secrets-vault
Simple encrypted secrets for Python.
Inspired by Rails encrypted secrets, but for Python. It can be used as a standalone CLI tool or as a library.
The vault is JSON encoded and encrypted using symmetric encryption.
Quick start
- Install
pip install secrets-vault. - Run
secrets init. - Two files will be created:
master.keyandsecrets.json.enc. - You can now edit your secrets by running
secrets edit, or list them viasecrets get.
Important: Keep the master.key safe. Do NOT commit it to VCS. The secrets.json.enc file is safe to commit.
CLI usage
You can view the help anytime by running secrets --help:
Usage: secrets [OPTIONS] COMMAND [ARGS]...
Manage a local secrets vault.
Options:
-m, --master-key-filepath TEXT Path to the master.key file.
-s, --secrets-filepath TEXT Path to the encrypted secrets vault.
--help Show this message and exit.
Commands:
del Delete a secret.
edit Open the secrets vault in your configured $EDITOR.
envify Prints a provided secret key as one or more env variables.
get Get one or more secret values.
init Generate a new secrets vault and master.key pair.
set Store a secret.
Reading secrets
CLI commands
List all secrets:
$ secrets get
> my-user: foo
> my-password: supersecret
Get one secret:
$ secrets get my-password
> supersecret
Get multiple secrets:
$ secrets get my-user my-password
> my-user: foo
> my-password: supersecret
In Python
from secrets_vault import SecretsVault
vault = SecretsVault()
password = vault.get('my-password')
Editing secrets
CLI command
You can also set secrets from the CLI with a key and value:
$ secrets set foo bar
Interactive editor
To edit secrets, run secrets edit, the file will be decrypted and your editor will open.
$ secrets edit
>>> Opening secrets file in editor...
{
"foo": "bar"
}
Any saved changes will be encrypted and saved to the file on disk when you close the editor.
In Python
You can also edit secrets from code:
from secrets_vault import SecretsVault
vault = SecretsVault()
vault.set('foo', 'bar')
vault.save()
Deleting secrets
CLI command
You can delete secrets from the CLI with a key:
$ secrets del foo
In Python
You can achieve the same in Python like this:
from secrets_vault import SecretsVault
vault = SecretsVault()
vault.delete('foo')
vault.save()
Printing secrets as environment variables
Sometimes you may want to print a secret as environment variables. It will also apply if you have nested objects. You can do so by running:
$ secrets edit
{
"aws-credentials": {
"AWS_ACCESS_KEY_ID": "...",
"AWS_SECRET_ACCESS_KEY": "..."
}
}
Get will print the secrets as-is:
$ secrets get aws-credentials
> {"AWS_ACCESS_KEY_ID": "...", "AWS_SECRET_ACCESS_KEY": "..."}
Envify will print the secrets ready for consumption as environment variables:
$ secrets envify aws-credentials
> AWS_ACCESS_KEY_ID=...
> AWS_SECRET_ACCESS_KEY=...
Providing the master.key file
File on disk
By default, the vault will look for the master key in a file located at ./master.key.
Environment variable
You can also provide it via an environment variable MASTER_KEY. For example:
MASTER_KEY=my-super-secret-master-key secrets edit
In Python
You can load the master_key from anywhere else and provide it when initializing the class:
from secrets_vault import SecretsVault
# Load from somewhere else
master_key = 'my-super-secret-master-key'
vault = SecretsVault(master_key=master_key)
Configuring the default filepaths
CLI command
You can also provide them as a CLI arguments before the command:
$ secrets \
--master-key-filepath ./prod/master.key \
--secrets-filepath ./prod/secrets.json.enc \
init
In Python
You can also configure the filepaths at which your secrets.json.enc and master.key files are located.
from secrets_vault import SecretsVault
vault = SecretsVault(master_key_filepath=..., secrets_filepath=...)
Changelog
See CHANGELOG for the list of releases.
Security Disclosure
If you discover any issue regarding security, please disclose the information responsibly by sending an email to dyer.linseed0@icloud.com. Do NOT create a Issue on the GitHub repo.
Contributing
Please check for any existing issues before openning a new Issue. If you'd like to work on something, please open a new Issue describing what you'd like to do before submitting a Pull Request.
License
See LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file secrets-vault-0.1.8.tar.gz.
File metadata
- Download URL: secrets-vault-0.1.8.tar.gz
- Upload date:
- Size: 7.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.17
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cb8c0ba72b8074d6e4417dc2a32cead8dc6c8f37f04f66ccd5521b7a3b651387 |
|
| MD5 | 558a7ffde48ec6b6cefce6ffcaaf68b7 |
|
| BLAKE2b-256 | 44aa4a5d2ca64a6d79c980853ede4e669938583170de17f4c192bcf92500ff1f |
File details
Details for the file secrets_vault-0.1.8-py3-none-any.whl.
File metadata
- Download URL: secrets_vault-0.1.8-py3-none-any.whl
- Upload date:
- Size: 8.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.17
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | af8f7a62041dddc434ded389e3ba28cded4d83b7de9d179f4780336301d655de |
|
| MD5 | eee6706a5dbfdfada58d20ce6308c176 |
|
| BLAKE2b-256 | fac1b2c06165776e30a47412c562c288fb351b5c12a57dcdd77426cdba94f105 |
