{"id":22242545,"url":"https://github.com/multiversecoder/flask-vault","last_synced_at":"2025-07-28T01:31:51.483Z","repository":{"id":195041213,"uuid":"692129062","full_name":"multiversecoder/Flask-Vault","owner":"multiversecoder","description":"Flask-Vault is a robust library that empowers Flask applications to securely store and manage sensitive credentials. It provides a set of CLI commands for storing secrets using AES-GCM symmetric encryption, ensuring that vital information like API keys and database credentials remain protected.","archived":false,"fork":false,"pushed_at":"2024-11-10T18:44:37.000Z","size":41,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-10T19:25:57.626Z","etag":null,"topics":["credentials-management","flask","flask-vault","security-tools","web-application"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/multiversecoder.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-15T16:13:25.000Z","updated_at":"2024-11-10T18:44:40.000Z","dependencies_parsed_at":null,"dependency_job_id":"b0f662ad-e172-4a07-a973-5940e4edf1c0","html_url":"https://github.com/multiversecoder/Flask-Vault","commit_stats":null,"previous_names":["multiversecoder/flask-vault"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/multiversecoder%2FFlask-Vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/multiversecoder%2FFlask-Vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/multiversecoder%2FFlask-Vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/multiversecoder%2FFlask-Vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/multiversecoder","download_url":"https://codeload.github.com/multiversecoder/Flask-Vault/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227850021,"owners_count":17829088,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credentials-management","flask","flask-vault","security-tools","web-application"],"created_at":"2024-12-03T04:16:33.048Z","updated_at":"2024-12-03T04:16:33.608Z","avatar_url":"https://github.com/multiversecoder.png","language":"Python","readme":"# About Flask Vault\n\n[**Flask-Vault**](https://github.com/multiversecoder/Flask-Vault) provides several cli commands and Python functions to store secrets that you do not want to keep in the clear, using symmetric encryption with **AES-GCM**. These commands and functions allow you to safely read/write very important credentials such as API keys, database credentials, etc.\n\nIn addition, **Flask-Vault** contains several helpers to simplify the encryption and decryption of data.\n\n# Why Flask-Vault instead of Dotenv?\n\nIn the world of web development, safeguarding sensitive information is a paramount concern. When it comes to managing credentials when using [Flask](https://flask.palletsprojects.com/), two prominent options emerge: **Flask-Vault** and [Dotenv](https://github.com/theskumar/python-dotenv). While both have their merits, **Flask-Vault** stands out as the superior choice for securing critical data.\n\n**Flask-Vault** offers a robust solution for protecting sensitive information. Stored in an encrypted credentials.toml.enc file, this data is shielded by an added layer of security. It can only be decrypted with the master key, ensuring that even if the file falls into the wrong hands, the information remains inaccessible.\n\nAdditionally, the encrypted editor, accessed through `flask vault edit`, allows for secure direct editing of the credentials file. This feature is invaluable for making swift adjustments to sensitive information without compromising security.\n\nWhile both **Flask-Vault** and **Dotenv** serve important functions, **Flask-Vault** stands as the superior choice for securing sensitive data. Its robust encryption and seamless integration within **Flask** make it the ideal solution for managing critical information. By prioritizing security without sacrificing accessibility, **Flask-Vault** empowers developers to build and maintain applications with the utmost confidence in their data protection measures.\n\n# About Flask-Vault Cryptography\n\nThe encryption used by `flask_vault` is **AES-GCM** with a *128-bit key*.\n\n### Why AES-GCM 128?\n\nHere are some benefits of using AES-GCM with a 128-bit key:\n- Security: AES-GCM is considered secure and is widely used in various applications including TLS (Transport Layer Security) for securing internet communication.\n\n- Efficiency: AES-GCM is known for being relatively efficient in terms of computational resources. This is especially important in scenarios where computational power may be limited, such as on IoT (Internet of Things) devices.\n\n- Fast Encryption and Decryption: AES-GCM is optimized for modern processors, which means that it can encrypt and decrypt data relatively quickly. This is important for performance-sensitive applications.\n\n- Parallelization: AES-GCM encryption and decryption can be parallelized, which means that it can take advantage of multiple processing cores in modern CPUs.\n\n-  Authenticated Encryption with Associated Data (AEAD): AES-GCM provides both confidentiality and integrity, which means that not only is the data encrypted, but it also includes a message authentication code (MAC) to verify that the data has not been tampered with.\n\n- Nonce-Based: AES-GCM requires a unique initialization vector (IV), called a nonce, for each encryption operation. This means that even if you encrypt the same data with the same key multiple times, the ciphertext will be different, adding an extra layer of security.\n\n- Widely Supported: AES-GCM is supported by many cryptographic libraries and frameworks, making it a practical choice for a wide range of applications.\n\n- Compliance: AES-GCM is often recommended or required by various security standards and compliance frameworks.\n\n# Flask-Vault Dependencies\n\nFlask-Vault uses few dependencies to secure data and files, here are the 2 main dependencies of this library:\n- [Flask](https://flask.palletsprojects.com/)\n- [Cryptography](https://cryptography.io/)\n\n```toml\npython = \"\u003e=3.7\"\ncryptography = \"^41.0.3\"\n```\n\n# Getting Started with Flask-Vault\n\n### Installing\n\nInstall and update using [pip](https://pip.pypa.io/en/stable/getting-started/)\n\n```sh\n$\u003e pip install Flask-Vault\n```\n\nInstall and update using [poetry](https://python-poetry.org/)\n\n```sh\n$\u003e poetry add Flask-Vault\n```\n\n# Documentation\n\n## How to integrate Flask-Vault with your Flask application.\n\n## Use `flask_vault.cli.vault_cli` to enable `Flask-Vault`.\n\n```python \nfrom flask import Flask\nfrom flask_vault.cli import vault_cli\n\napp = Flask(__name__)\n\n...\n# Register Command using the \napp.cli.add_command(vault_cli)\n...\n\n```\n\n\n## Using a different editor to show/edit credentials\n\nThe default editor used by `Flask-Vault` is **vi**.\n\nThe example below shows how to use an editor other than **vi** to show or edit credentials saved in `credentials.toml.enc`. As shown, the example will use `nano` editor to use the `flask vault show` command. \n\n```sh\n$\u003e EDITOR=nano flask vault show\n```\n\n## Cli Commands\n\n- \u003e **flask vault init**: The `flask vault init` command will initialize the environment needed for Flask-Vault to operate. This command will create the `credentials.toml.enc` file, the `master.key` file and the `tmp` folder (which will be used internally by Flask-Vault). If you run this command a second time, no action will be taken since you will not be able to overwrite the created files.\n- \u003e **flask vault get [secret_name]**: The `flask vault get` command will decrypt `credentials.toml.enc` and display the selected secret in terminal.\n- \u003e **flask vault show**: The `flask vault show` command will decrypt the contents of the `credentials.toml.enc` file using `master.key` and open it in read-only mode to show the saved credentials.\n- \u003e **flask vault edit**: The `flask vault show` command will decrypt the contents of the `credentials.toml.enc` file using `master.key` and open it in edit mode.\n- \u003e **flask vault encrypt [filename]**: The `flask vault encrypt` command will create an encrypted file. The generated file will be protected by AES-GCM encryption and will use a `.enc` extension to distinguish it from the plaintext file.\n- \u003e **flask vault decrypt [filename]**: The `flask vault decrypt` command will decrypt a file with the extension `.enc` and display its contents in the terminal.\n\n\n## Encrypting data using `flask_vault.utils.aes_gcm_encrypt`\n\nEncrypting data without exposing the encryption key within the application using `flask_vault.utils.aes_gcm_encrypt`\n\n```python\nfrom flask import Flask\nfrom flask_vault.utils import aes_gcm_encrypt\n\napp = Flask(__name__)\n\n\n@app.route(\"/encrypted\", methods=[\"GET\"])\ndef encrypted():\n    ctx = {\n        \"encrypted\": aes_gcm_encrypt(\"my.app.secret\")\n    }\n    return render_template(\"encrypted.html\", **ctx)\n```\n\n## Decrypting data using `flask_vault.utils.aes_gcm_decrypt`\n\nDecrypting data without exposing the encryption key within the application using `flask_vault.utils.aes_gcm_decrypt`\n\n```python \nfrom flask import Flask\nfrom flask_vault.utils import aes_gcm_decrypt\n\n\napp = Flask(__name__)\n\n@æpp.route(\"/decrypt\", methods=[\"GET\"])\ndef decrypt():\n    encrypted_data = request.args.get(\"encrypted\", None)\n    ctx = {\n        \"plaintext\": aes_gcm_decrypt(encrypted_data) if encrypted_data is not None else \"Missing encrypted data!\"\n    }\n    return render_template(\"decrypt.html\", **ctx)\n```\n\n## Obtaining credentials stored inside the `credentials.toml.enc` file\n\nThe example below shows how to get secrets from the `credentials.toml.enc` file using Flask-Vault's `get_secret` function. In this example `get_secret` will be used to configure the database, preventing anyone who does not have access to the `master.key` from reading the username, password, and database name in clear text\n\n\n#### credentials.toml.enc (after editing)\n\n```toml\n# ... other stuff\n[db]\nname = \"my-db-name\"\nusername = \"root\"\npassword = \"my-db-password\"\n```\n\n### How to get secrets from `credentials.toml.enc`\n\nUse the `flask_vault.utils.get_secret` function to obtain secrets and credentials stored inside the `credentials.toml.enc` file.\n\n#### app.py using `flask_vault.utils.get_secret`\n```python\nimport sys\nimport mariadb\nfrom flask import Flask, request, g\nfrom flask_vault.utils import get_secret\n\napp = Flask(__name__)\n\ndef get_db():\n    db = getattr(g, \"_database\", None)\n    if db is None:\n        try:\n            conn = mariadb.connect(\n                user=get_secret(\"db\").get(\"username\"),\n                password=get_secret(\"db\").get(\"password\"),\n                host=\"127.0.0.1\",\n                port=3306,\n                database=get_secret(\"db\").get(\"name\"),\n            )\n            db = g._database = conn \n        except mariadb.Error as e:\n            print(f\"Error connecting to MariaDB Platform: {e}\")\n            sys.exit(1)\n    return db\n\n@app.teardown_appcontext\ndef close_connection(exception):\n    db = getattr(g, \"_database\", None)\n    if db is not None:\n        db.close()\n```\n\n# Contributing\n\nQuestions, comments or improvements, please create an issue on [Github](https://github.com/multiversecoder/Flask-Vault/issues).\n\nTo suggest a change to the code or documentation, please create a new pull request on GitHub. Also, please squash multiple commits into a single commit in your pull request by rebasing onto the master branch.\n\n\n# Donation\n\nIf you feel that my work has been useful and you are interested in supporting this project and any future projects, please leave me a donation using one of the following cryptocurrencies.\n\n\n- **Bitcoin (Segwit)**: `bc1qy8h7d9xt8442axcyzdq8q3vglvcqzexdmjhawp`\n\n# License\n\nMIT License\n\nCopyright (c) 2023-present Adriano Romanazzo \u003cgithub.com/multiversecoder\u003e\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmultiversecoder%2Fflask-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmultiversecoder%2Fflask-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmultiversecoder%2Fflask-vault/lists"}