Skip to main content

A lightweight tool to easily encrypt/decrypt secrets inside a repository

Project description

Secrets Tool

This is a small tool which helps to encrypt secrets that must be committed to a Git repository.

It has the advantage to natively support partial encryption of YAML files. This is of great advantage, as it allows to see the YAML file structure even when some of its contents are encrypted (your PR reviewers and diff tools will thank you)

Prerequisites

  • Python >= 3.7
  • Having the following packages installed: pip install ruamel.yaml cryptography

Usage

The tool reads a list of files to encrypt/decrypt from a .gitignore file. In there it will only consider files that are sorrounded by a comment block as in the following example:

# BEGIN ENCRYPTED
kaas-rubik-stage/values.yaml
# END ENCRYPTED

Run the tool by giving the .gitignore file as an argument, together with either a encrypt or decrypt command:

cd <REPOSITORY_ROOT>
python -m utils.secrets_tool k8s_helm/.gitignore encrypt

Syntax

The tool provides different encryption handlers for all kind of file types.

  • yaml for YAML files that are used by tools which are okay having a !decrypted tag in front of strings
  • yamlcompat for tools that don't like the additional 'encryption marker' tag.
  • generic for all other file types. It encrypts the complete file.

The desired encryption handler is inferred from the filetype - or it can be given explicitly in the gitignore file using the # type: hint:

# BEGIN ENCRYPTED
kaas-rubik-stage/values.yaml

# type: yaml
kaas-rubik-stage/values2.txt
# END ENCRYPTED

yamlcompat

This encryption handler can encrypt individual YAML keys without relying on 'parser visible' changes in the YAML file structure. Instead of marking the desired keys directly in the file, they are listed in the .gitignore file using a # data: comment:

# BEGIN ENCRYPTED
kaas-rubik-stage/values.yaml

# type: yamlcompat
# data: splunk.apiToken
# data: splunk.host
kaas-rubik-stage/values2.yaml
# END ENCRYPTED

WARNING It is recommended to use the normal YAML handler whenever possible. When using the yamlcompat module, you split up your encryption logic over multiple files, which might lead to errors (especially on fragile YAML files that contain unnamed structures - like lists)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secrets_tool-0.1.0.tar.gz (6.3 kB view details)

Uploaded Source

Built Distribution

secrets_tool-0.1.0-py3-none-any.whl (7.8 kB view details)

Uploaded Python 3

File details

Details for the file secrets_tool-0.1.0.tar.gz.

File metadata

  • Download URL: secrets_tool-0.1.0.tar.gz
  • Upload date:
  • Size: 6.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.9 CPython/3.8.3 Linux/5.3.0-1028-azure

File hashes

Hashes for secrets_tool-0.1.0.tar.gz
Algorithm Hash digest
SHA256 cf7f0ce84375d06964228300e1811cb76de2528a708cc252ec33e1b93f48e9b9
MD5 9417d7cf70267159550d5908e7315977
BLAKE2b-256 4da416e267dc043fdd8f74f49eb91244d52a85f79c993eaf98ad6fffddf00374

See more details on using hashes here.

Provenance

File details

Details for the file secrets_tool-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: secrets_tool-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 7.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.9 CPython/3.8.3 Linux/5.3.0-1028-azure

File hashes

Hashes for secrets_tool-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b82a7ab01794074171970385e766957d4d0e95ccc2b2ca0e25b169c4fb383c66
MD5 fd795f1cc718c855cc3a4dc515bb5ad5
BLAKE2b-256 fd8999ce796967367bc273549ccdb042844815c0da55deddbcf53d2e0f835ba3

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page