Python encrypted secrets

Aug 22, 2023·1 minute read


Introducing: secrets-vault - simple encrypted secrets for Python.

Highlights:

  • Encrypt and store secrets alongside your code
  • Read secrets from your Python code, via the CLI or export to a dotenv file
  • Pairs nicely with mrsk for deployments

This tool lets you encrypt your secrets, and commit them alongside your code. You can then decrypt them using a master.key, very similarly to how Rails credentials work.

I built this because I wanted to use a similar approach and pair it with mrsk for deploying my Django apps.

But this library isn’t tied to a particular framework. You can even use it as a standalone CLI tool for encrypting and decrypting secrets to a file on disk.

To decrypt and read the secrets, simply drop the master key as a file or as an environment variable. You can then read the secrets vault via Python, via the CLI or export them to a dotenv file.

Quickstart

  1. Install it:
$ pip install secrets-vault
  1. Create a new vault:
$ secrets init

Generated new secrets vault at ./secrets.yml.enc
Generated new master key at ./master.key - keep it safe!
  1. Open vault in your editor:
$ secrets edit

# Add your secrets below, comments are supported too.
# dev:
#   secret-key: abc123
#
# database-url: postgres://user:pass@localhost:5432/dev
  1. Read secrets:
$ secrets get database-url

> postgres://user:pass@localhost:5432/dev
  1. Consume secrets as environment variables:
$ secrets envify -o dotenv

$ cat .env

> DATABASE_URL=postgres://...
> REDIS_URL=redis://...
> COOKIE_SECRET=abc123

You can find more documentation on the GitHub repo here.


Follow me for the latest content