Missing a tool like rails credentials:edit for your Python projects?
Derailed Credentials brings encrypted secret management to Python, inspired by Rails Credentials. Securely manage encrypted secrets and configuration files for your projects.
The derailed commands provide access to encrypted credentials,
so you can safely store access tokens, database passwords, and the like
safely inside the app without relying on a mess of ENVs.
This also allows for atomic deploys: no need to coordinate key changes to get everything working as the keys are shipped with the code.
pipx install derailed-credentials
As a standalone command-line tool:
derailed generate-key # Generate new master key
derailed edit # Edit credentials file
derailed show # Show decrypted credentials
derailed fetch path # Fetch a value
Programmatic usage:
from derailed import Credentials
creds = Credentials()
api_key = creds.api_key
db_password = creds.database.password
They master key can be read from a file, default to config/master.key, or
can be set using the MASTER_KEY environment variable.
Don't lose this master key! Put it in a password manager your team can access. Should you lose it no one, including you, will be able to access any encrypted credentials.
First generate a master key and store it securely:
$ derailed generate-key
Master key [redacted] created at config/master.key
Keep this key secure! You can also set it as MASTER_KEY environment variable.
Ensure the master key is not versioned:
$ echo "config/master.key" >> .gitignore
Enable the git diff driver:
$ derailed diff --enroll
Edit the credentials:
$ derailed edit
Access the credentials either programmatically or with the CLI:
$ derailed fetch my.key