{ "info": { "author": "Nextdoor Engineering", "author_email": "nehal@nextdoor.com", "bugtrack_url": null, "classifiers": [], "description": "[![CircleCI](https://circleci.com/gh/Nextdoor/code-crypt.svg)](https://circleci.com/gh/Nextdoor/code-crypt)\n\n# Code Crypt\n\nCode Crypt provides a simple Python library and command line interface to \nmanage your application secrets within a project repository. Master keys are\nmanaged externally by the AWS Key Management Service (KMS), which perform \nenvelope encryption on a RSA private key used for decrypts on individual\nsecrets within a particular environment context. Encrypted secrets are kept \nas binary files within the project folder using hybrid RSA-AES cryptopgraphy.\n\nIt supports Python 2.6 or newer and all Python 3 versions.\n\n## Features\n\n- Self-serve for project contributors\n- Scalable for a large amount of secrets (1 KMS API call to decrypt all secrets)\n- CRUD operations on a per-secret basis\n- Environment contexts (development, staging, production)\n\n## Initialize Project\n\nWe have a project `my_project` that we'd like to initialize with 3 different \nenvironment contexts (`development`, `staging` and `production`) with their own \nKMS master keys.\n\n $ APP_ROOT=/Users/bob/my_project code-crypt --env development --init --kms-key-id aaaaaaaa-bbbb-cccc-dddd-123456111111\n $ APP_ROOT=/Users/bob/my_project code-crypt --env staging --init --kms-key-id eeeeeeee-ffff-gggg-hhhh-123456222222\n $ APP_ROOT=/Users/bob/my_project code-crypt --env production --init --kms-key-id iiiiiiii-jjjj-kkkk-llll-123456333333\n \nThis will initialize the project folder with a data directory of the following \nstructure:\n\n $ pwd\n /Users/bob/my_project\n $ tree\n .\n \u2514\u2500\u2500 code_crypt\n \u2514\u2500\u2500 data\n \u251c\u2500\u2500 keys\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 development\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 encrypted_private_key.pem\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 public_key.asc\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 production\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 encrypted_private_key.pem\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 public_key.asc\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 staging\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 encrypted_private_key.pem\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 public_key.asc\n \u2514\u2500\u2500 secrets\n \u251c\u2500\u2500 development\n \u251c\u2500\u2500 production\n \u2514\u2500\u2500 staging\n \n(Note: `--env` defaults to `development` and won't be explicitly used in this \nguide going forward.)\n\n## Encrypt Secrets\n\nSingle secrets can be encrypted with `--encrypt` option.\n\n $ APP_ROOT=/Users/bob/my_project code-crypt --encrypt SOME_SECRET='a1b2c3'\n \nIn this case an encrypted binary file would be created at \n`code_crypt/data/secrets/development/SOME_SECRET.bin`.\n \n## Decrypt Secrets (CLI)\n\nSingle secrets can be decrypted with `--decrypt` option which returns a \nplaintext value.\n\n $ APP_ROOT=/Users/bob/my_project code-crypt --decrypt SOME_SECRET\n a1b2c3\n \nMultiple secrets can be decrypted with the `--decrypt-all` option which returns \na JSON string\nof key-value pairs.\n\n $ APP_ROOT=/Users/bob/my_project code-crypt --decrypt-all\n {\n \"SOME_SECRET\": \"a1b2c3\"\n }\n\n## Decrypt Secrets (Application)\n\nPrerequisite: Grant your application run-time authentication to its environment's respective \nKMS master key.\n\nCreate a Code Crypt object and run the `decrypt()` function.\n\n from code_crypt import core as code_crypt\n\n CC = code_crypt.CodeCrypt(app_root=MY_APP_ROOT, env=MY_ENV)\n CC_SECRETS = CC.decrypt()\n \nThe resulting `CC_SECRETS` object is a dict of decrypted secret key-value pairs.\n\n\n# Developer Setup\n\nIf you are interested in working on the codebase, setting up your development\nenvironment is quick and easy.\n\n $ virtualenv .venv\n $ source .venv/bin/activate\n $ pip install -r requirements.txt", "description_content_type": null, "docs_url": null, "download_url": "https://github.com/Nextdoor/code-crypt/tarball/v0.0.10", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/Nextdoor/code-crypt", "keywords": "", "license": "Apache License, Version 2.0", "maintainer": "", "maintainer_email": "", "name": "code-crypt", "package_url": "https://pypi.org/project/code-crypt/", "platform": "", "project_url": "https://pypi.org/project/code-crypt/", "project_urls": { "Download": "https://github.com/Nextdoor/code-crypt/tarball/v0.0.10", "Homepage": "https://github.com/Nextdoor/code-crypt" }, "release_url": "https://pypi.org/project/code-crypt/0.0.10/", "requires_dist": null, "requires_python": "", "summary": "Code Crypt", "version": "0.0.10" }, "last_serial": 3223637, "releases": { "0.0.10": [ { "comment_text": "", "digests": { "md5": "a609d7b4207b66744eeb5e2d8f29f3be", "sha256": "e71b3f5406bec45cecefd859f7bf798c4e81be42c9e663aa3913551b1c45ea40" }, "downloads": -1, "filename": "code_crypt-0.0.10-py2.7.egg", "has_sig": false, "md5_digest": "a609d7b4207b66744eeb5e2d8f29f3be", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 10557, "upload_time": "2017-10-03T23:36:02", "url": "https://files.pythonhosted.org/packages/b0/1e/3200992c79328f1ca16d1e50f08fecd364602a9fe9a0894d7384c687f37e/code_crypt-0.0.10-py2.7.egg" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "a609d7b4207b66744eeb5e2d8f29f3be", "sha256": "e71b3f5406bec45cecefd859f7bf798c4e81be42c9e663aa3913551b1c45ea40" }, "downloads": -1, "filename": "code_crypt-0.0.10-py2.7.egg", "has_sig": false, "md5_digest": "a609d7b4207b66744eeb5e2d8f29f3be", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 10557, "upload_time": "2017-10-03T23:36:02", "url": "https://files.pythonhosted.org/packages/b0/1e/3200992c79328f1ca16d1e50f08fecd364602a9fe9a0894d7384c687f37e/code_crypt-0.0.10-py2.7.egg" } ] }