{"id":14979104,"url":"https://github.com/anthonynsimon/secrets-vault","last_synced_at":"2025-10-28T14:30:47.563Z","repository":{"id":182830279,"uuid":"668750279","full_name":"anthonynsimon/secrets-vault","owner":"anthonynsimon","description":"Simple encrypted secrets for Python","archived":false,"fork":false,"pushed_at":"2023-09-01T09:57:46.000Z","size":92,"stargazers_count":19,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-07T00:29:45.944Z","etag":null,"topics":["config","django","encryption","fastapi","flask","python","secrets"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anthonynsimon.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-20T14:04:44.000Z","updated_at":"2024-07-30T08:55:31.000Z","dependencies_parsed_at":"2024-09-19T01:08:13.885Z","dependency_job_id":"e17d9ba2-f27e-4478-b77e-da3866ab1945","html_url":"https://github.com/anthonynsimon/secrets-vault","commit_stats":{"total_commits":57,"total_committers":1,"mean_commits":57.0,"dds":0.0,"last_synced_commit":"82b2a7c60e5d4e8a18cc6bf06dbf6623d6a82392"},"previous_names":["anthonynsimon/secrets-vault"],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonynsimon%2Fsecrets-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonynsimon%2Fsecrets-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonynsimon%2Fsecrets-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonynsimon%2Fsecrets-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anthonynsimon","download_url":"https://codeload.github.com/anthonynsimon/secrets-vault/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238662693,"owners_count":19509650,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["config","django","encryption","fastapi","flask","python","secrets"],"created_at":"2024-09-24T13:59:13.966Z","updated_at":"2025-10-28T14:30:47.143Z","avatar_url":"https://github.com/anthonynsimon.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# secrets-vault\n[![PyPi Latest Version](https://img.shields.io/pypi/v/secrets-vault)](https://pypi.org/project/secrets-vault/)\n[![PyPi Downloads](https://img.shields.io/pypi/dm/secrets-vault)](https://pypi.org/project/secrets-vault/)\n[![License](https://img.shields.io/github/license/anthonynsimon/secrets-vault)](https://github.com/anthonynsimon/secrets-vault/blob/master/LICENSE)\n\n\n\nSimple tool to keep your app secrets encrypted in-repo. Easily decrypt using a `master.key`.\n\nThe vault is YAML encoded by default, and is encrypted using [AES-GCM-256 authenticated encryption](https://cryptography.io/en/latest/hazmat/primitives/aead/#cryptography.hazmat.primitives.ciphers.aead.AESGCM).\n\nInspired by Rails credentials - it pairs nicely with [mrsk](https://mrsk.dev). But it can be used as a standalone CLI tool or as a library. \n\n## Quick start\n\n1. Install it:\n```bash\n$ pip install secrets-vault\n```\n\n2. Create a new vault:\n ```bash\n$ secrets init\n\nGenerated new secrets vault at ./secrets.yml.enc\nGenerated new master key at ./master.key - keep it safe!\n ``` \n\n3. Open vault in your editor:\n```bash\n$ secrets edit\n\n# Add your secrets below, comments are supported too.\n# dev:\n#     secret-key: abc123\n#\n# database-url: postgres://user:pass@localhost:5432/dev\n```\n\n4. Read secrets:\n\n```bash\n$ secrets get database-url\n\n\u003e postgres://user:pass@localhost:5432/dev\n```\n\n5. Consume secrets as environment variables:\n\n```bash\n$ secrets envify -o dotenv\n\n$ cat .env\n\n\u003e DATABASE_URL=postgres://...\n\u003e REDIS_URL=redis://...\n\u003e COOKIE_SECRET=abc123\n```\n\n**Important:** You should keep the `master.key` secret, do NOT commit it. Ignore it in your `.gitignore` file. The `secrets.yml.enc` file is encrypted and can be committed.\n\n## CLI usage\n\nYou can view the help anytime by running `secrets --help`:\n\n```\nUsage: secrets [OPTIONS] COMMAND [ARGS]...\n\n  Manage a local secrets vault.\n\nOptions:\n  -s, --secrets-filepath TEXT     Path to the encrypted secrets vault.\n                                  [default: ./secrets.yml.enc]\n  -m, --master-key-filepath TEXT  Path to the master.key file.  [default:\n                                  ./master.key]\n  -f, --format [yaml|json]        Format to use for the secrets vault.\n                                  [default: yaml]\n  -v, --verbose                   Enable verbose output.\n  --help                          Show this message and exit.\n\nCommands:\n  del      Delete a secret.\n  edit     Open the secrets vault in your configured $EDITOR.\n  envify   Prints a provided secret key as one or more env variables.\n  get      Get a secret value.\n  init     Generate a new secrets vault and master.key pair.\n  set      Store a secret.\n  version  Show the package version.\n```\n\n## Reading secrets\n\n### CLI commands\n\nList all secrets:\n\n```bash\n$ secrets get\n\n# Add your secrets below, comments are supported too.\n# dev:\n#     secret-key: abc123\n#\n# database-url: postgres://user:pass@localhost:5432/dev\n```\n\nGet a secret:\n\n```bash\n$ secrets get database-url\n\u003e postgres://user:pass@localhost:5432/dev\n```\n\nTraverse nested objects:\n\n```bash\n$ secrets get\n\ndev:\n secret-key: abc123\n admins: [zero, one, two three]\n\ndatabase-url: postgres://user:pass@localhost:5432/dev\n```\n\n```bash\n$ secrets get dev.admins.2\n\n\u003e two\n```\n\n\n### In Python\n\nSimply call `get` with the key. Note that if the secret is missing it will return `None`\n\n```python\nfrom secrets_vault import SecretsVault\n\nvault = SecretsVault()\n\nadmins = vault.get('dev.admins')\n```\n\n\n## Editing secrets\n\n### CLI command\n\nYou can set secrets from the CLI with a key and value:\n\n```bash\n$ secrets set foo bar\n```\n\n### Interactive editor\n\nTo edit secrets, run `secrets edit`, the file will be decrypted and your editor will open.\n\n```bash\n$ secrets edit\n\n\u003e\u003e Opening secrets file in editor...\n\n# Add your secrets below, comments are supported too.\n# dev:\n#     secret-key: abc123\n#\n# database-url: postgres://user:pass@localhost:5432/dev\n```\n\nAny saved changes will be encrypted and saved to the file on disk when you close the editor.\n\n### In Python\n\nYou can also edit secrets from code:\n\n```python\nfrom secrets_vault import SecretsVault\n\nvault = SecretsVault()\nvault.set('foo', 'bar')\nvault.save()\n```\n\n## Deleting secrets\n\n### CLI command\n\nYou can delete secrets from the CLI with a key:\n\n```bash\n$ secrets del foo\n```\n\n### In Python\n\nYou can achieve the same in Python like this:\n\n```python\nfrom secrets_vault import SecretsVault\n\nvault = SecretsVault()\nvault.delete('foo')\nvault.save()\n```\n\n\n## Printing secrets as environment variables\n\nSometimes you may want to print a secret as environment variables. It will also apply if you have nested objects. You can do so by running:\n\n```bash\n$ secrets edit\n\naws-credentials:\n    aws-access-key-id: abc123\n    aws-secret-access-key: abc456\n    \ndatabase-url: postgres://user:pass@localhost:5432/dev\n```\n\nEnvify will print the secrets ready for consumption as environment variables:\n\n```bash\n$ secrets envify aws-credentials\n\nAWS_ACCESS_KEY_ID=abc123\nAWS_SECRET_ACCESS_KEY=abc456\n```\n\nYou can also print the entire vault as environment variables:\n\n```bash\n$ secrets envify\n\nAWS_CREDENTIALS={\"aws-access-key-id\": \"abc123\", \"aws-secret-access-key\": \"abc456\"}\nDATABASE_URL=postgres://user:pass@localhost:5432/dev\n```\n\nThe following conventions are applied:\n- The key is uppercased\n- Dashes are replaced with underscores\n- Values are serialized as plain-text (eg. strings and numbers) \n- Objects are JSON encoded (eg. lists and dicts) \n\n### Consuming the output of envify\n\nYou can then use it in your shell like this:\n\n```bash\n$ $(secrets envify --export aws-credentials)\n$ echo $AWS_ACCESS_KEY_ID\n\nabc123\n```\n\nDump output to a dotenv file:\n\n```bash\n$ secrets envify aws-credentials -o .env.aws\n$ cat .env.aws\n\u003e AWS_ACCESS_KEY_ID=abc123\n\u003e AWS_SECRET_ACCESS_KEY=abc456\n```\n\n## Providing the master.key file\n\n### File on disk\nBy default, the vault will look for the master key in a file located at `./master.key`.\n\n### Environment variable\nYou can also provide it via an environment variable `MASTER_KEY`. For example:\n\n```bash\nMASTER_KEY=my-super-secret-master-key secrets edit\n```\n\nWhen a master key is provided via an environment variable, it takes precedence over the file on disk.\n\n\n### In Python\n\nYou can load the master_key from anywhere else and provide it when initializing the class:\n\n```python\nfrom secrets_vault import SecretsVault\n\n# Load from somewhere else\nmaster_key = 'my-super-secret-master-key'\n\nvault = SecretsVault(master_key=master_key)\n```\n\nThe order of precedence for the master key is:\n1. Provided via the constructor\n2. Provided via the `MASTER_KEY` environment variable\n3. Loaded from the file on disk\n\n## Configuring the default filepaths\n\n### CLI command\n\nYou can also provide them as a CLI arguments before the command:\n\n```bash\n$ secrets \\\n  --master-key-filepath ./prod/master.key \\\n  --secrets-filepath ./prod/secrets.yml.enc \\\n  init\n```\n\nThis can be used to separate your secrets by environments such as `prod`, `staging`, `dev`, each having with their own key.\n\n### In Python\n\nYou can also configure the filepaths at which your `secrets.yml.enc` and `master.key` files are located.\n\n```python\nfrom secrets_vault import SecretsVault\n\nvault = SecretsVault(master_key_filepath=..., secrets_filepath=...)\n```\n\n## Changelog\n\nSee [CHANGELOG](https://github.com/anthonynsimon/secrets-vault/blob/master/CHANGELOG.md) for the list of releases.\n\n\n## Security Disclosure\n\nIf you discover any issue regarding security, please disclose the information responsibly by sending an email to [dyer.linseed0@icloud.com](mailto:dyer.linseed0@icloud.com). Do NOT create a Issue on the GitHub repo.\n\n\n## Contributing\n\nPlease check for any existing issues before openning a new Issue. If you'd like to work on something, please open a new Issue describing what you'd like to do before submitting a Pull Request.\n\n\n## License\n\nSee [LICENSE](https://github.com/anthonynsimon/secrets-vault/blob/master/LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthonynsimon%2Fsecrets-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanthonynsimon%2Fsecrets-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthonynsimon%2Fsecrets-vault/lists"}