Skip to main content

A secure encrypted credentials system for Django and FastAPI, inspired by Rails credentials

Project description

Secure Credentials Kit

A secure, encrypted credentials system for Django and FastAPI, inspired by Rails credentials.

Features

  • Environment-specific encrypted credentials
  • Framework-neutral CLI for generating and editing encrypted credentials
  • Master keys for editing credentials and read-only keys for application runtime access
  • Signed encrypted credential files backed by an asymmetric signing/verification key pair
  • Django management commands
  • FastAPI helpers for loading credentials into application state

Installation

The PyPI distribution, Python package, and CLI are all named for Secure Credentials Kit:

  • Distribution: secure-credentials-kit
  • Python package: secure_credentials_kit
  • CLI: secure-credentials-kit

Supported versions:

  • Python 3.10, 3.11, 3.12, 3.13, and 3.14
  • Django 5.2 LTS and Django 6.0

For Django:

pip install "secure-credentials-kit[django]"

For FastAPI:

pip install "secure-credentials-kit[fastapi]"

Local Development

This project uses pyproject.toml for package metadata and uv for local dependency management.

Install uv, then create a development environment:

uv sync

Install framework extras when you need to test integrations:

uv sync --extra django
uv sync --extra fastapi

Run tests:

uv run python -m unittest discover -v

Build the package:

uv run python -m build

Credentials Files

Add secret keys to .gitignore:

echo "secrets/*.key" >> .gitignore

Generate a new key pair:

secure-credentials-kit generate-key <environment>

This creates two role-specific keys:

  • secrets/<environment>.master.key can decrypt, edit, encrypt, and sign credentials with the private signing key.
  • secrets/<environment>.readonly.key can decrypt and verify credentials with the public verification key, but cannot produce accepted credential updates.

Key files are stored as one-line base64url payloads. The decoded payload contains the key material and format version; the package detects the key role automatically from the key material, so there is no visible master: or readonly: prefix in the file contents.

You can regenerate a read-only key from an existing master key:

secure-credentials-kit generate-key <environment> --role readonly

Edit encrypted credentials:

secure-credentials-kit edit <environment>

Editing requires secrets/<environment>.master.key. Applications should normally run with only secrets/<environment>.readonly.key.

The editor opens the decrypted YAML. The YAML root must be a mapping:

SOME_ENV_VAR: secret-value
database:
  url: postgres://user:password@localhost:5432/app
api:
  token: token-value

Credentials are stored in secrets/<environment>.yml.enc, and keys are stored in secrets/<environment>.master.key and secrets/<environment>.readonly.key. The encrypted file is generated by the tool and should not be edited by hand. It contains a signed encrypted payload similar to:

{
  "version": 2,
  "payload": "gAAAAAB...",
  "signature": "..."
}

Django Usage

Add secure_credentials_kit to your INSTALLED_APPS in settings.py:

INSTALLED_APPS = [
    ...
    'secure_credentials_kit',
    ...
]

You can also use Django management commands:

python manage.py credentials_generate_key <environment>
python manage.py credentials_generate_key <environment> --role readonly
python manage.py credentials_edit <environment>

To load the credentials in your Django app:

from secure_credentials_kit.secrets_loader import decrypt_credentials
credentials = decrypt_credentials("environment")

Where credentials is an instance of class CredentialsContainer containing the decrypted credentials.

FastAPI Usage

Load credentials into FastAPI application state:

from fastapi import Depends, FastAPI
from secure_credentials_kit.fastapi import (
    credentials_dependency,
    setup_secure_credentials_kit,
)

app = FastAPI()
setup_secure_credentials_kit(app, "production")


@app.get("/settings")
def settings(credentials=Depends(credentials_dependency())):
    return {"api_host": credentials.get("api_host")}

If no environment is passed to setup_secure_credentials_kit, the helper checks SECURE_CREDENTIALS_KIT_ENV, FASTAPI_ENV, ENV, then falls back to development.

Accessing Credentials

To access a credential:

credentials.get('key')

or

credentials.dig('key', 'subkey')

for complex nested credentials.

To access and cast a credential:

credentials.get_as_type('port', int)

or

credentials.dig_as_type(int, 'database', 'port')

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secure_credentials_kit-0.3.1.tar.gz (14.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

secure_credentials_kit-0.3.1-py3-none-any.whl (11.9 kB view details)

Uploaded Python 3

File details

Details for the file secure_credentials_kit-0.3.1.tar.gz.

File metadata

  • Download URL: secure_credentials_kit-0.3.1.tar.gz
  • Upload date:
  • Size: 14.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for secure_credentials_kit-0.3.1.tar.gz
Algorithm Hash digest
SHA256 cf959bb2f5c5f579b118b4604921e6c8e0965a9d9b8687936f05da3b0672fc1c
MD5 c25fff0ad956e92b3356ac77dd59384b
BLAKE2b-256 668036d2c482f8202dc57effda12a252841f2db3594b2b9e1e8d5960c0e8d674

See more details on using hashes here.

File details

Details for the file secure_credentials_kit-0.3.1-py3-none-any.whl.

File metadata

File hashes

Hashes for secure_credentials_kit-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 a42d9b1d0ecca1fcdbf5341a25b00937799c5c494be9b478af55d5cb77d9ae1e
MD5 d18e0d858d319254568cac1652aafea2
BLAKE2b-256 188e154573adfdf32c41f1090498e0c3b906a66cad1e183b184a4176bf6fa995

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page