Skip to main content

A secure encrypted credentials system for Django and FastAPI, inspired by Rails credentials

Project description

Secure Credentials Kit

A secure, encrypted credentials system for Django and FastAPI, inspired by Rails credentials.

Features

  • Environment-specific encrypted credentials
  • Framework-neutral CLI for generating and editing encrypted credentials
  • Master keys for editing credentials and read-only keys for application runtime access
  • Signed encrypted credential files backed by an asymmetric signing/verification key pair
  • Django management commands
  • FastAPI helpers for loading credentials into application state

Installation

The PyPI distribution, Python package, and CLI are all named for Secure Credentials Kit:

  • Distribution: secure-credentials-kit
  • Python package: secure_credentials_kit
  • CLI: secure-credentials-kit

Supported versions:

  • Python 3.10, 3.11, 3.12, 3.13, and 3.14
  • Django 5.2 LTS and Django 6.0

For Django:

pip install "secure-credentials-kit[django]"

For FastAPI:

pip install "secure-credentials-kit[fastapi]"

Local Development

This project uses pyproject.toml for package metadata and uv for local dependency management.

Install uv, then create a development environment:

uv sync

Install framework extras when you need to test integrations:

uv sync --extra django
uv sync --extra fastapi

Run tests:

uv run python -m unittest discover -v

Build the package:

uv run python -m build

Credentials Files

Add secret keys to .gitignore:

echo "secrets/*.key" >> .gitignore

Generate a new key pair:

secure-credentials-kit generate-key <environment>

This creates two role-specific keys:

  • secrets/<environment>.master.key can decrypt, edit, encrypt, and sign credentials with the private signing key.
  • secrets/<environment>.readonly.key can decrypt and verify credentials with the public verification key, but cannot produce accepted credential updates.

Key files are stored as one-line base64url payloads. The decoded payload contains the key material and format version; the package detects the key role automatically from the key material, so there is no visible master: or readonly: prefix in the file contents.

You can regenerate a read-only key from an existing master key:

secure-credentials-kit generate-key <environment> --role readonly

Edit encrypted credentials:

secure-credentials-kit edit <environment>

Editing requires secrets/<environment>.master.key. Applications should normally run with only secrets/<environment>.readonly.key.

The editor opens the decrypted YAML. The YAML root must be a mapping:

SOME_ENV_VAR: secret-value
database:
  url: postgres://user:password@localhost:5432/app
api:
  token: token-value

Credentials are stored in secrets/<environment>.yml.enc, and keys are stored in secrets/<environment>.master.key and secrets/<environment>.readonly.key. The encrypted file is generated by the tool and should not be edited by hand. It contains a signed encrypted payload similar to:

{
  "version": 2,
  "payload": "gAAAAAB...",
  "signature": "..."
}

Django Usage

Add secure_credentials_kit to your INSTALLED_APPS in settings.py:

INSTALLED_APPS = [
    ...
    'secure_credentials_kit',
    ...
]

You can also use Django management commands:

python manage.py credentials_generate_key <environment>
python manage.py credentials_generate_key <environment> --role readonly
python manage.py credentials_edit <environment>

To load the credentials in your Django app:

from secure_credentials_kit.secrets_loader import decrypt_credentials
credentials = decrypt_credentials("environment")

Where credentials is an instance of class CredentialsContainer containing the decrypted credentials.

FastAPI Usage

Load credentials into FastAPI application state:

from fastapi import Depends, FastAPI
from secure_credentials_kit.fastapi import (
    credentials_dependency,
    setup_secure_credentials_kit,
)

app = FastAPI()
setup_secure_credentials_kit(app, "production")


@app.get("/settings")
def settings(credentials=Depends(credentials_dependency())):
    return {"api_host": credentials.get("api_host")}

If no environment is passed to setup_secure_credentials_kit, the helper checks SECURE_CREDENTIALS_KIT_ENV, FASTAPI_ENV, ENV, then falls back to development.

Accessing Credentials

To access a credential:

credentials.get('key')

or

credentials.dig('key', 'subkey')

for complex nested credentials.

To access and cast a credential:

credentials.get_as_type('port', int)

or

credentials.dig_as_type(int, 'database', 'port')

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secure_credentials_kit-0.3.0.tar.gz (14.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

secure_credentials_kit-0.3.0-py3-none-any.whl (11.9 kB view details)

Uploaded Python 3

File details

Details for the file secure_credentials_kit-0.3.0.tar.gz.

File metadata

  • Download URL: secure_credentials_kit-0.3.0.tar.gz
  • Upload date:
  • Size: 14.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for secure_credentials_kit-0.3.0.tar.gz
Algorithm Hash digest
SHA256 25e99aa8b846f367aab5441e8a494cf036e2e645064f8936fa5c80846b1a61d8
MD5 b8b39c689f8ab2bbc0ccb2508ce52a9c
BLAKE2b-256 d4fae20c8fc28c59d6d44569170ac49c048b6bafa5e8d3b932b47f34e3044f3d

See more details on using hashes here.

File details

Details for the file secure_credentials_kit-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for secure_credentials_kit-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d532ae7e4d72d85db13a10ea91987cc1ad5a20e33b3265d44f90bf18a09ace8f
MD5 96260cdd69e20d3a47da1570b30f580d
BLAKE2b-256 b47d12ee47ae10688413c642bf798047293c66ac44bd783eca09b2631d86ca21

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page