ToruVault: A simple Python package for managing Bitwarden secrets
This project has been archived.
The maintainers of this project have marked this project as archived. No new releases are expected.
Project description
ToruVault
A secure Python secrets manager and environment variable manager for Bitwarden integration. Safely manage API keys and secrets in your Python applications.
Features
- Secrets Manager for Python: Load secrets from Bitwarden Secret Manager into environment variables
- API Key Management: Access and manage API keys securely in your Python applications
- Environment Variable Manager: Easily inject secrets as environment variables
- Bitwarden Python Integration: Seamless integration with Bitwarden Secret Manager
- Secure In-Memory Caching: Encrypted caching with automatic expiration (5 minutes)
- Project-Based Secret Filtering: Filter secrets by project ID
- Secure Storage: Machine-specific secret protection with proper file permissions
- OS Keyring Integration: Secure credential storage using your operating system's keyring
Installation
Using UV (Recommended)
# Install UV if you don't have it already
curl -LsSf https://astral.sh/uv/install.sh | sh
# Install toru-vault package (basic installation)
uv pip install toru-vault
# Or install with keyring support (recommended for secure storage)
uv pip install toru-vault[keyring]
# Or install in a virtual environment (recommended)
uv venv create -p python3.10 .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate
uv pip install toru-vault[keyring]
This will install all required dependencies:
- bitwarden-sdk - For interfacing with Bitwarden API
- cryptography - For encryption/decryption operations
And when installed with the keyring option:
- keyring - For secure credential storage using OS keyring
Note: Keyring is now optional but recommended. Without keyring, some features like
toru-vault initwon't work, and you'll need to use theuse_keyring=Falseparameter with theget()function to use in-memory encryption instead of the system keyring.
From Source with UV
# Clone the repository
git clone https://github.com/ToruAI/vault.git
cd vault
uv venv create -p python3.10 .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate
# Install dependencies
uv pip install -r requirements.txt
# Install in development mode
uv pip install -e .
Configuration
You have two options for configuring the vault:
Option 1: Initialize with Keyring Storage (Recommended)
The most secure way to set up vault is to use your operating system's secure keyring:
# Initialize vault with secure keyring storage
python -m vault init
This will prompt you to enter:
- Your Bitwarden access token (BWS_TOKEN)
- Your Bitwarden organization ID (ORGANIZATION_ID)
- The path to the state file (STATE_FILE)
How to get the BWS_TOKEN, ORGANIZATION_ID, and STATE_FILE
These credentials will be securely stored in your OS keyring and used automatically by the vault.
Option 2: Environment Variables
Alternatively, you can set the following environment variables:
BWS_TOKEN: Your Bitwarden access tokenORGANIZATION_ID: Your Bitwarden organization IDSTATE_FILE: Path to the state file (must be in an existing directory)PROJECT_ID(optional): Your Bitwarden project ID to filter secretsAPI_URL(optional): Defaults to "https://api.bitwarden.com"IDENTITY_URL(optional): Defaults to "https://identity.bitwarden.com"
Setting these environment variables is useful for container environments or when keyring is not available.
CLI Commands
Initialize Vault
# Set up vault with secure credential storage
python -m vault init
Listing Available Projects
# List all projects in your organization
python -m vault list
# With a specific organization ID
python -m vault list --org-id YOUR_ORGANIZATION_ID
Python Usage
Loading secrets into environment variables (Env Manager)
import toru_vault as vault
# Load all secrets into environment variables
vault.env_load()
# Now you can access secrets as environment variables
import os
print(os.environ.get("SECRET_NAME"))
# Load secrets for a specific project
vault.env_load(project_id="your-project-id")
# Alternatively, set PROJECT_ID environment variable and call without parameter
# export PROJECT_ID="your-project-id" # Linux/macOS
# set PROJECT_ID=your-project-id # Windows
vault.env_load() # Will use PROJECT_ID from environment
# Override existing environment variables (default: False)
vault.env_load(override=True)
Getting secrets as a dictionary
import toru_vault as vault
# Get all secrets as a dictionary
secrets = vault.get()
print(secrets["SECRET_NAME"]) # Secret is only decrypted when accessed
# Force refresh the cache
secrets = vault.get(refresh=True)
# Get secrets for a specific project
secrets = vault.get(project_id="your-project-id")
# Alternatively, set PROJECT_ID environment variable and call without parameter
# export PROJECT_ID="your-project-id" # Linux/macOS
# set PROJECT_ID=your-project-id # Windows
secrets = vault.get() # Will use PROJECT_ID from environment
# Use in-memory encryption instead of system keyring
secrets = vault.get(use_keyring=False)
Loading secrets from all projects
import toru_vault as vault
# Load secrets from all projects you have access to into environment variables
vault.env_load_all()
# Override existing environment variables (default: False)
vault.env_load_all(override=True)
Security Features
ToruVault provides robust security for your API keys and environment variables:
- OS Keyring Integration: Securely stores BWS_TOKEN, ORGANIZATION_ID, and STATE_FILE in your OS keyring
- Memory Protection: Secrets are encrypted in memory using Fernet encryption (AES-128)
- Lazy Decryption: Secrets are only decrypted when explicitly accessed
- Cache Expiration: Cached secrets expire after 5 minutes by default
- Secure File Permissions: Sets secure permissions on state files
- Machine-Specific Encryption: Uses machine-specific identifiers for encryption keys
- Cache Clearing: Automatically clears secret cache on program exit
- Environment Variable Protection: Doesn't override existing environment variables by default
- Secure Key Derivation: Uses PBKDF2 with SHA-256 for key derivation
- No Direct Storage: Never stores secrets in plain text on disk
Bitwarden Python Integration
BWS_TOKEN
Your Bitwarden access token. You can get it from the Bitwarden web app:
- Log in to your Bitwarden account
- Go to Secret Manager at left bottom
- Go to the "Machine accounts" section
- Create new machine account.
- Go to Access Token Tab
- This is your
BWS_TOKEN.
Remember that you need to assign access to the machine account for the projects you want to use.
ORGANIZATION_ID
Your Bitwarden organization ID. You can get it from the Bitwarden web app:
- Log in to your Bitwarden account
- Go to Secret Manager at left bottom
- Go to the "Machine accounts" section
- Create new machine account.
- Go to Config Tab
- There is your
ORGANIZATION_ID.
STATE_FILE
The STATE_FILE is used by the login_access_token method to store persistent authentication state information after successfully logging in with an access token.
You can set it to any existing file path.
Security Best Practices
When working with secrets, always follow these important guidelines:
- Never Embed Keys in Code: Always use environment variables, keyring, or secure secret management systems.
- Never Commit Secrets: Add secret files and credentials to your
.gitignorefile. - Use Key Rotation: Regularly rotate your access tokens as a security measure.
- Limit Access: Only provide access to secrets on a need-to-know basis.
- Monitor Usage: Regularly audit which applications and users are accessing your secrets.
- Use Environment-Specific Secrets: Use different secrets for development, staging, and production environments.
Remember that the vault package is designed to protect secrets once they're in your system, but you must handle the initial configuration securely.
Why Choose ToruVault
ToruVault stands out as a comprehensive solution for Python developers who need:
- A reliable secrets manager for Python applications
- Secure API key management with encryption
- An environment variable manager that simplifies configuration
- Seamless Bitwarden Python integration for team secret sharing
By combining the security of Bitwarden with the convenience of Python's environment variables, ToruVault provides a robust solution for managing sensitive information in your applications.
License
ToruVault is released under the MIT License. See the LICENSE file for details.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file toru_vault-0.3.1.tar.gz.
File metadata
- Download URL: toru_vault-0.3.1.tar.gz
- Upload date:
- Size: 19.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e834c25935b15f525a1304c1464d99757ece0b018668d768637566f2d9497d1e
|
|
| MD5 |
e730a706629e470f8dfa683f614aecd6
|
|
| BLAKE2b-256 |
455d0fb766383f35f8c938499639445c5c910ca8edfebcd9e51f21144db6f861
|
File details
Details for the file toru_vault-0.3.1-py3-none-any.whl.
File metadata
- Download URL: toru_vault-0.3.1-py3-none-any.whl
- Upload date:
- Size: 17.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
638113a09d8395606f04524f261f6c1aa4f9d87972f319a9b7ae495b18c4fa4b
|
|
| MD5 |
64fce4c5388916840e9f2fe15e95f21d
|
|
| BLAKE2b-256 |
904e73948a29561e54304428fc12bf979aaf98cd6d67591e78b63c2b15e8d93a
|
