Code Crypt provides a simple Python library and command line interface to manage your application secrets within a project repository. Master keys are managed externally by the AWS Key Management Service (KMS), which perform envelope encryption on a RSA private key used for decrypts on individual secrets within a particular environment context. Encrypted secrets are kept as binary files within the project folder using hybrid RSA-AES cryptopgraphy.
- Self-serve for project contributors
- Scalable for a large amount of secrets (1 KMS API call to decrypt all secrets)
- CRUD operations on a per-secret basis
- Environment contexts (development, staging, production)
We have a project my_project that we'd like to initialize with 3 different
environment contexts (development, staging and production) with their own
KMS master keys.
$ APP_ROOT=/Users/bob/my_project code-crypt --env development --init --kms-key-id aaaaaaaa-bbbb-cccc-dddd-123456111111
$ APP_ROOT=/Users/bob/my_project code-crypt --env staging --init --kms-key-id eeeeeeee-ffff-gggg-hhhh-123456222222
$ APP_ROOT=/Users/bob/my_project code-crypt --env production --init --kms-key-id iiiiiiii-jjjj-kkkk-llll-123456333333
This will initialize the project folder with a data directory of the following structure:
$ pwd
/Users/bob/my_project
$ tree
.
└── code_crypt
└── data
├── keys
│ ├── development
│ │ ├── encrypted_private_key.pem
│ │ └── public_key.asc
│ ├── production
│ │ ├── encrypted_private_key.pem
│ │ └── public_key.asc
│ └── staging
│ ├── encrypted_private_key.pem
│ └── public_key.asc
└── secrets
├── development
├── production
└── staging
(Note: --env defaults to development and won't be explicitly used in this
guide going forward.)
Single secrets can be encrypted with --encrypt option.
$ APP_ROOT=/Users/bob/my_project code-crypt --encrypt SOME_SECRET='a1b2c3'
In this case an encrypted binary file would be created at
code_crypt/data/secrets/development/SOME_SECRET.bin.
Single secrets can be decrypted with --decrypt option which returns a
plaintext value.
$ APP_ROOT=/Users/bob/my_project code-crypt --decrypt SOME_SECRETa1b2c3
Multiple secrets can be decrypted with the --decrypt-all option which returns
a JSON string of key-value pairs.
$ APP_ROOT=/Users/bob/my_project code-crypt --decrypt-all
{
"SOME_SECRET": "a1b2c3"
}
Prerequisite: Grant your application run-time authentication to its environment's respective KMS master key.
Create a Code Crypt object and run the decrypt() function.
from code_crypt import core as code_crypt
CC = code_crypt.CodeCrypt(app_root=MY_APP_ROOT, env=MY_ENV)
CC_SECRETS = CC.decrypt()The resulting CC_SECRETS object is a dict of decrypted secret key-value pairs.
If you are interested in working on the codebase, setting up your development environment is quick and easy.
$ make venv
$ source .venv/bin/activate