A secure encrypted credentials system for Django and FastAPI, inspired by Rails credentials
Project description
Secure Credentials Kit
A secure, encrypted credentials system for Django and FastAPI, inspired by Rails credentials.
Features
- Environment-specific encrypted credentials
- Framework-neutral CLI for generating and editing encrypted credentials
- Master keys for editing credentials and read-only keys for application runtime access
- Signed encrypted credential files backed by an asymmetric signing/verification key pair
- Django management commands
- FastAPI helpers for loading credentials into application state
Installation
The PyPI distribution, Python package, and CLI are all named for Secure Credentials Kit:
- Distribution:
secure-credentials-kit - Python package:
secure_credentials_kit - CLI:
secure-credentials-kit
Supported versions:
- Python 3.10, 3.11, 3.12, 3.13, and 3.14
- Django 5.2 LTS and Django 6.0
For Django:
pip install "secure-credentials-kit[django]"
For FastAPI:
pip install "secure-credentials-kit[fastapi]"
Local Development
This project uses pyproject.toml for package metadata and uv for local
dependency management.
Install uv, then create a development environment:
uv sync
Install framework extras when you need to test integrations:
uv sync --extra django
uv sync --extra fastapi
Run tests:
uv run python -m unittest discover -v
Build the package:
uv run python -m build
Credentials Files
Add secret keys to .gitignore:
echo "secrets/*.key" >> .gitignore
Generate a new key pair:
secure-credentials-kit generate-key <environment>
This creates two role-specific keys:
secrets/<environment>.master.keycan decrypt, edit, encrypt, and sign credentials with the private signing key.secrets/<environment>.readonly.keycan decrypt and verify credentials with the public verification key, but cannot produce accepted credential updates.
Key files are stored as one-line base64url payloads. The decoded payload contains
the key material and format version; the package detects the key role
automatically from the key material, so there is no visible master: or
readonly: prefix in the file contents.
You can regenerate a read-only key from an existing master key:
secure-credentials-kit generate-key <environment> --role readonly
Edit encrypted credentials:
secure-credentials-kit edit <environment>
Editing requires secrets/<environment>.master.key. Applications should normally
run with only secrets/<environment>.readonly.key.
The editor opens the decrypted YAML. The YAML root must be a mapping:
SOME_ENV_VAR: secret-value
database:
url: postgres://user:password@localhost:5432/app
api:
token: token-value
Credentials are stored in secrets/<environment>.yml.enc, and keys are stored in
secrets/<environment>.master.key and secrets/<environment>.readonly.key.
The encrypted file is generated by the tool and should not be edited by hand. It
contains a signed encrypted payload similar to:
{
"version": 2,
"payload": "gAAAAAB...",
"signature": "..."
}
Django Usage
Add secure_credentials_kit to your INSTALLED_APPS in settings.py:
INSTALLED_APPS = [
...
'secure_credentials_kit',
...
]
You can also use Django management commands:
python manage.py credentials_generate_key <environment>
python manage.py credentials_generate_key <environment> --role readonly
python manage.py credentials_edit <environment>
To load the credentials in your Django app:
from secure_credentials_kit.secrets_loader import decrypt_credentials
credentials = decrypt_credentials("environment")
Where credentials is an instance of class CredentialsContainer containing the decrypted credentials.
FastAPI Usage
Load credentials into FastAPI application state:
from fastapi import Depends, FastAPI
from secure_credentials_kit.fastapi import (
credentials_dependency,
setup_secure_credentials_kit,
)
app = FastAPI()
setup_secure_credentials_kit(app, "production")
@app.get("/settings")
def settings(credentials=Depends(credentials_dependency())):
return {"api_host": credentials.get("api_host")}
If no environment is passed to setup_secure_credentials_kit, the helper checks
SECURE_CREDENTIALS_KIT_ENV, FASTAPI_ENV, ENV, then falls back to development.
Accessing Credentials
To access a credential:
credentials.get('key')
or
credentials.dig('key', 'subkey')
for complex nested credentials.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secure_credentials_kit-0.2.0.tar.gz.
File metadata
- Download URL: secure_credentials_kit-0.2.0.tar.gz
- Upload date:
- Size: 13.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3bbcda6a2f5382398b1ce8c7979d904b28b80620b805320b30da1c2c1e0f189d
|
|
| MD5 |
328b1f746433ee0243cc1becebc8a25f
|
|
| BLAKE2b-256 |
80910ed8d5c87c104e68babf01abf71cef923dbe80a87ed89febaa7d6094c5ae
|
File details
Details for the file secure_credentials_kit-0.2.0-py3-none-any.whl.
File metadata
- Download URL: secure_credentials_kit-0.2.0-py3-none-any.whl
- Upload date:
- Size: 11.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
71ac5983a85526d855ace32ee29fb6b9eea491c5f17b481ba5a8703785ddd734
|
|
| MD5 |
62b53360a7887778310a8b6064e0c6e6
|
|
| BLAKE2b-256 |
ac5b1d0d85afbfc1a94e462fe98e17b5e5c80696bac939e12209302fb9f21c7e
|
