A lightweight tool to easily encrypt/decrypt secrets inside a repository
Project description
Secrets Tool
This is a small tool which helps to encrypt secrets that must be committed to a Git repository.
It has the advantage to natively support partial encryption of YAML files. This is of great advantage, as it allows to see the YAML file structure even when some of its contents are encrypted (your PR reviewers and diff tools will thank you)
Prerequisites
- Python >= 3.7
- Having the following packages installed:
pip install ruamel.yaml cryptography
Usage
The tool reads a list of files to encrypt/decrypt from a .gitignore
file. In there it will only consider files that are sorrounded by a comment block as in the following example:
# BEGIN ENCRYPTED
kaas-rubik-stage/values.yaml
# END ENCRYPTED
Run the tool by giving the .gitignore
file as an argument, together with either a encrypt
or decrypt
command:
cd <REPOSITORY_ROOT>
python -m utils.secrets_tool k8s_helm/.gitignore encrypt
Syntax
The tool provides different encryption handlers for all kind of file types.
yaml
for YAML files that are used by tools which are okay having a!decrypted
tag in front of stringsyamlcompat
for tools that don't like the additional 'encryption marker' tag.generic
for all other file types. It encrypts the complete file.
The desired encryption handler is inferred from the filetype - or it can be given explicitly in the gitignore file using the # type:
hint:
# BEGIN ENCRYPTED
kaas-rubik-stage/values.yaml
# type: yaml
kaas-rubik-stage/values2.txt
# END ENCRYPTED
yamlcompat
This encryption handler can encrypt individual YAML keys without relying on 'parser visible' changes in the YAML file structure.
Instead of marking the desired keys directly in the file, they are listed in the .gitignore file using a # data:
comment:
# BEGIN ENCRYPTED
kaas-rubik-stage/values.yaml
# type: yamlcompat
# data: splunk.apiToken
# data: splunk.host
kaas-rubik-stage/values2.yaml
# END ENCRYPTED
WARNING It is recommended to use the normal YAML handler whenever possible. When using the yamlcompat module, you split up your encryption logic over multiple files, which might lead to errors (especially on fragile YAML files that contain unnamed structures - like lists)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file secrets_tool-0.1.0.tar.gz
.
File metadata
- Download URL: secrets_tool-0.1.0.tar.gz
- Upload date:
- Size: 6.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.9 CPython/3.8.3 Linux/5.3.0-1028-azure
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | cf7f0ce84375d06964228300e1811cb76de2528a708cc252ec33e1b93f48e9b9 |
|
MD5 | 9417d7cf70267159550d5908e7315977 |
|
BLAKE2b-256 | 4da416e267dc043fdd8f74f49eb91244d52a85f79c993eaf98ad6fffddf00374 |
File details
Details for the file secrets_tool-0.1.0-py3-none-any.whl
.
File metadata
- Download URL: secrets_tool-0.1.0-py3-none-any.whl
- Upload date:
- Size: 7.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.9 CPython/3.8.3 Linux/5.3.0-1028-azure
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | b82a7ab01794074171970385e766957d4d0e95ccc2b2ca0e25b169c4fb383c66 |
|
MD5 | fd795f1cc718c855cc3a4dc515bb5ad5 |
|
BLAKE2b-256 | fd8999ce796967367bc273549ccdb042844815c0da55deddbcf53d2e0f835ba3 |