# python-dotenv-vault [](http://badge.fury.io/py/python-dotenv-vault)
<img src="https://raw.githubusercontent.com/motdotla/dotenv/master/dotenv.svg" alt="dotenv-vault" align="right" width="200" />
Extends the proven & trusted foundation of [python-dotenv](https://github.com/theskumar/python-dotenv), with a `.env.vault` file.
The extended standard lets you load encrypted secrets from your `.env.vault` file in production (and other) environments. Brought to you by the same people that pioneered [dotenv-nodejs](https://github.com/motdotla/dotenv).
* [π± Install](#-install)
* [ποΈ Usage (.env)](#%EF%B8%8F-usage)
* [π Deploying (.env.vault) π](#-deploying)
* [π΄ Multiple Environments](#-manage-multiple-environments)
* [β FAQ](#-faq)
* [β±οΈ Changelog](./CHANGELOG.md)
## π± Install
```shell
pip install python-dotenv-vault
```
## ποΈ Usage
Development usage works just like [python-dotenv](https://github.com/theskumar/python-dotenv).
Add your application configuration to your `.env` file in the root of your project:
```shell
S3_BUCKET=YOURS3BUCKET
SECRET_KEY=YOURSECRETKEYGOESHERE
```
As early as possible in your application bootstrap process, load .env:
```python
import os
from dotenv_vault import load_dotenv
load_dotenv() # take environment variables from .env.
# Code of your application, which uses environment variables (e.g. from `os.environ` or
# `os.getenv`) as if they came from the actual environment.
```
When your application loads, these variables will be available in `os.environ` or `os.getenv`:
```python
import os
s3_bucket = os.getenv("S3_BUCKET")
print(s3_bucket)
```
## π Deploying
Encrypt your environment variables by doing:
```shell
npx dotenv-vault local build
```
This will create an encrypted `.env.vault` file along with a `.env.keys` file containing the encryption keys. Set the `DOTENV_KEY` environment variable by copying and pasting the key value from the `.env.keys` file onto your server or cloud provider. For example in heroku:
```shell
heroku config:set DOTENV_KEY=<key string from .env.keys>
```
Commit your .env.vault file safely to code and deploy. Your .env.vault fill be decrypted on boot, its environment variables injected, and your app work as expected.
Note that when the `DOTENV_KEY` environment variable is set, environment settings will *always* be loaded from the `.env.vault` file in the project root. For development use, you can leave the `DOTENV_KEY` environment variable unset and fall back on the `dotenv` behaviour of loading from `.env` or a specified set of files (see [here in the `dotenv` README](https://github.com/bkeepers/dotenv#usage) for the details).
## π΄ Manage Multiple Environments
You have two options for managing multiple environments - locally managed or vault managed - both use [dotenv-vault](https://github.com/dotenv-org/dotenv-vault).
Locally managed never makes a remote API call. It is completely managed on your machine. Vault managed adds conveniences like backing up your .env file, secure sharing across your team, access permissions, and version history. Choose what works best for you.
#### π» Locally Managed
Create a `.env.production` file in the root of your project and put your production values there.
```shell
# .env.production
S3_BUCKET="PRODUCTION_S3BUCKET"
SECRET_KEY="PRODUCTION_SECRETKEYGOESHERE"
```
Rebuild your `.env.vault` file.
```shell
npx dotenv-vault local build
```
View your `.env.keys` file. There is a production `DOTENV_KEY` that pairs with the `DOTENV_VAULT_PRODUCTION` cipher in your `.env.vault` file.
Set the production `DOTENV_KEY` on your server, recommit your `.env.vault` file to code, and deploy. That's it!
Your .env.vault fill be decrypted on boot, its production environment variables injected, and your app work as expected.
#### π Vault Managed
Sync your .env file. Run the push command and follow the instructions. [learn more](/docs/sync/quickstart)
```
$ npx dotenv-vault push
```
Manage multiple environments with the included UI. [learn more](/docs/tutorials/environments)
```
$ npx dotenv-vault open
```
Build your `.env.vault` file with multiple environments.
```
$ npx dotenv-vault build
```
Access your `DOTENV_KEY`.
```
$ npx dotenv-vault keys
```
Set the production `DOTENV_KEY` on your server, recommit your `.env.vault` file to code, and deploy. That's it!
## β FAQ
#### What happens if `DOTENV_KEY` is not set?
Dotenv Vault gracefully falls back to [python-dotenv](https://github.com/theskumar/python-dotenv) when `DOTENV_KEY` is not set. This is the default for development so that you can focus on editing your `.env` file and save the `build` command until you are ready to deploy those environment variables changes.
#### Should I commit my `.env` file?
No. We **strongly** recommend against committing your `.env` file to version control. It should only include environment-specific values such as database passwords or API keys. Your production database should have a different password than your development database.
#### Should I commit my `.env.vault` file?
Yes. It is safe and recommended to do so. It contains your encrypted envs, and your vault identifier.
#### Can I share the `DOTENV_KEY`?
No. It is the key that unlocks your encrypted environment variables. Be very careful who you share this key with. Do not let it leak.
## Contributing
1. Fork it
2. Create your feature branch (`git checkout -b my-new-feature`)
3. Commit your changes (`git commit -am 'Added some feature'`)
4. Push to the branch (`git push origin my-new-feature`)
5. Create new Pull Request
## Changelog
See [CHANGELOG.md](CHANGELOG.md)
## License
MIT
# Changelog
All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
## [Unreleased](https://github.com/dotenv-org/python-dotenv-vault/compare/v0.5.1...master)
##Β 0.6.4
###Β Changed
- Bump Cryptography above 41.0.3 to resolve [#19](https://github.com/dotenv-org/python-dotenv-vault/issues/19) (High severity [CVE-2023-38325](https://nvd.nist.gov/vuln/detail/CVE-2023-38325))
## 0.6.3
### Changed
- Fixed a bug where it was looking up .env instead of .env.vault [#18](https://github.com/dotenv-org/python-dotenv-vault/pull/18)
## 0.6.2
### Changed
- Look for .env.vault file at same location as .env file. Finds .env file anywhere in app (just like original python lib) [#13](https://github.com/dotenv-org/python-dotenv-vault/pull/13)
## 0.6.1
### Changed
- Fix fallback issue with gunicorn not respecting the current working directory when attempting to call `find_dotenv`. [#17](https://github.com/dotenv-org/python-dotenv-vault/pull/17)
## 0.6.0
### Changed
- Fix environment variable load [#12](https://github.com/dotenv-org/python-dotenv-vault/pull/12)
## 0.5.1
### Changed
- Fix error reference [#10](https://github.com/dotenv-org/python-dotenv-vault/pull/10)
## 0.5.0
### Added
- Reorganise and simplify code
- Make API correspond more closely to `python-dotenv`
- Improve error handling
- Add tests and CI
- Upgrade to `build` for release build
## 0.4.1
### Added
- expand cryptography library version range for better support
## 0.4.0
### Added
- Added feature to allow custom .env.vault path
## 0.3.0
### Added
- Added backward compatibility python version 3.7+
## 0.2.0
### Added
- Added comma separated capability to `DOTENV_KEY`. Add multiple keys to your DOTENV_KEY for use with decryption. Separate with a comma.
## 0.1.1
### Added
- Added support for handling any environment
## 0.1.0
### Added
- Added README and CHANGELOG
## 0.0.9
### Added
- Decrypting .env.vault file when `DOTENV_KEY` is set.
## 0.0.8 and prior
Please see commit history.
Raw data
{
"_id": null,
"home_page": "https://github.com/dotenv-org/python-dotenv-vault",
"name": "python-dotenv-vault",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "environment,environment variables,deployments,settings,env,dotenv,configurations,python,dotenv-vault",
"author": "dotenv",
"author_email": "mot@dotenv.org",
"download_url": "https://files.pythonhosted.org/packages/51/b1/c02f503bb5d36916a539e3ab70ec9800a8565a482add67d6106df16d4bc5/python-dotenv-vault-0.6.4.tar.gz",
"platform": null,
"description": "# python-dotenv-vault [](http://badge.fury.io/py/python-dotenv-vault)\n\n<img src=\"https://raw.githubusercontent.com/motdotla/dotenv/master/dotenv.svg\" alt=\"dotenv-vault\" align=\"right\" width=\"200\" />\n\nExtends the proven & trusted foundation of [python-dotenv](https://github.com/theskumar/python-dotenv), with a `.env.vault` file.\n\nThe extended standard lets you load encrypted secrets from your `.env.vault` file in production (and other) environments. Brought to you by the same people that pioneered [dotenv-nodejs](https://github.com/motdotla/dotenv).\n\n* [\ud83c\udf31 Install](#-install)\n* [\ud83c\udfd7\ufe0f Usage (.env)](#%EF%B8%8F-usage)\n* [\ud83d\ude80 Deploying (.env.vault) \ud83c\udd95](#-deploying)\n* [\ud83c\udf34 Multiple Environments](#-manage-multiple-environments)\n* [\u2753 FAQ](#-faq)\n* [\u23f1\ufe0f Changelog](./CHANGELOG.md)\n\n## \ud83c\udf31 Install\n\n```shell\npip install python-dotenv-vault\n```\n\n## \ud83c\udfd7\ufe0f Usage\n\nDevelopment usage works just like [python-dotenv](https://github.com/theskumar/python-dotenv).\n\nAdd your application configuration to your `.env` file in the root of your project:\n\n```shell\nS3_BUCKET=YOURS3BUCKET\nSECRET_KEY=YOURSECRETKEYGOESHERE\n```\n\nAs early as possible in your application bootstrap process, load .env:\n\n```python\nimport os\nfrom dotenv_vault import load_dotenv\n\nload_dotenv() # take environment variables from .env.\n\n# Code of your application, which uses environment variables (e.g. from `os.environ` or\n# `os.getenv`) as if they came from the actual environment.\n```\n\nWhen your application loads, these variables will be available in `os.environ` or `os.getenv`:\n\n```python\nimport os\ns3_bucket = os.getenv(\"S3_BUCKET\")\nprint(s3_bucket)\n```\n\n## \ud83d\ude80 Deploying\n\nEncrypt your environment variables by doing:\n\n```shell\nnpx dotenv-vault local build\n```\n\nThis will create an encrypted `.env.vault` file along with a `.env.keys` file containing the encryption keys. Set the `DOTENV_KEY` environment variable by copying and pasting the key value from the `.env.keys` file onto your server or cloud provider. For example in heroku:\n\n```shell\nheroku config:set DOTENV_KEY=<key string from .env.keys>\n```\n\nCommit your .env.vault file safely to code and deploy. Your .env.vault fill be decrypted on boot, its environment variables injected, and your app work as expected.\n\nNote that when the `DOTENV_KEY` environment variable is set, environment settings will *always* be loaded from the `.env.vault` file in the project root. For development use, you can leave the `DOTENV_KEY` environment variable unset and fall back on the `dotenv` behaviour of loading from `.env` or a specified set of files (see [here in the `dotenv` README](https://github.com/bkeepers/dotenv#usage) for the details).\n\n## \ud83c\udf34 Manage Multiple Environments\n\nYou have two options for managing multiple environments - locally managed or vault managed - both use [dotenv-vault](https://github.com/dotenv-org/dotenv-vault).\n\nLocally managed never makes a remote API call. It is completely managed on your machine. Vault managed adds conveniences like backing up your .env file, secure sharing across your team, access permissions, and version history. Choose what works best for you.\n\n#### \ud83d\udcbb Locally Managed\n\nCreate a `.env.production` file in the root of your project and put your production values there.\n\n```shell\n# .env.production\nS3_BUCKET=\"PRODUCTION_S3BUCKET\"\nSECRET_KEY=\"PRODUCTION_SECRETKEYGOESHERE\"\n```\n\nRebuild your `.env.vault` file.\n\n```shell\nnpx dotenv-vault local build\n```\n\nView your `.env.keys` file. There is a production `DOTENV_KEY` that pairs with the `DOTENV_VAULT_PRODUCTION` cipher in your `.env.vault` file.\n\nSet the production `DOTENV_KEY` on your server, recommit your `.env.vault` file to code, and deploy. That's it!\n\nYour .env.vault fill be decrypted on boot, its production environment variables injected, and your app work as expected.\n\n#### \ud83d\udd10 Vault Managed\n\nSync your .env file. Run the push command and follow the instructions. [learn more](/docs/sync/quickstart)\n\n```\n$ npx dotenv-vault push\n```\n\nManage multiple environments with the included UI. [learn more](/docs/tutorials/environments)\n\n```\n$ npx dotenv-vault open\n```\n\nBuild your `.env.vault` file with multiple environments.\n\n```\n$ npx dotenv-vault build\n```\n\nAccess your `DOTENV_KEY`.\n\n```\n$ npx dotenv-vault keys\n```\n\nSet the production `DOTENV_KEY` on your server, recommit your `.env.vault` file to code, and deploy. That's it!\n\n## \u2753 FAQ\n\n#### What happens if `DOTENV_KEY` is not set?\n\nDotenv Vault gracefully falls back to [python-dotenv](https://github.com/theskumar/python-dotenv) when `DOTENV_KEY` is not set. This is the default for development so that you can focus on editing your `.env` file and save the `build` command until you are ready to deploy those environment variables changes.\n\n#### Should I commit my `.env` file?\n\nNo. We **strongly** recommend against committing your `.env` file to version control. It should only include environment-specific values such as database passwords or API keys. Your production database should have a different password than your development database.\n\n#### Should I commit my `.env.vault` file?\n\nYes. It is safe and recommended to do so. It contains your encrypted envs, and your vault identifier.\n\n#### Can I share the `DOTENV_KEY`?\n\nNo. It is the key that unlocks your encrypted environment variables. Be very careful who you share this key with. Do not let it leak.\n\n## Contributing\n\n1. Fork it\n2. Create your feature branch (`git checkout -b my-new-feature`)\n3. Commit your changes (`git commit -am 'Added some feature'`)\n4. Push to the branch (`git push origin my-new-feature`)\n5. Create new Pull Request\n\n## Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md)\n\n## License\n\nMIT\n\n# Changelog\n\nAll notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.\n\n## [Unreleased](https://github.com/dotenv-org/python-dotenv-vault/compare/v0.5.1...master)\n\n##\u00a00.6.4\n\n###\u00a0Changed\n\n- Bump Cryptography above 41.0.3 to resolve [#19](https://github.com/dotenv-org/python-dotenv-vault/issues/19) (High severity [CVE-2023-38325](https://nvd.nist.gov/vuln/detail/CVE-2023-38325))\n\n## 0.6.3\n\n### Changed\n\n- Fixed a bug where it was looking up .env instead of .env.vault [#18](https://github.com/dotenv-org/python-dotenv-vault/pull/18)\n\n## 0.6.2\n\n### Changed\n\n- Look for .env.vault file at same location as .env file. Finds .env file anywhere in app (just like original python lib) [#13](https://github.com/dotenv-org/python-dotenv-vault/pull/13)\n\n## 0.6.1\n\n### Changed\n\n- Fix fallback issue with gunicorn not respecting the current working directory when attempting to call `find_dotenv`. [#17](https://github.com/dotenv-org/python-dotenv-vault/pull/17)\n\n## 0.6.0\n\n### Changed\n\n- Fix environment variable load [#12](https://github.com/dotenv-org/python-dotenv-vault/pull/12)\n\n## 0.5.1\n\n### Changed\n\n- Fix error reference [#10](https://github.com/dotenv-org/python-dotenv-vault/pull/10)\n\n## 0.5.0\n\n### Added\n\n- Reorganise and simplify code\n- Make API correspond more closely to `python-dotenv`\n- Improve error handling\n- Add tests and CI\n- Upgrade to `build` for release build\n \n## 0.4.1\n\n### Added\n\n- expand cryptography library version range for better support\n\n## 0.4.0\n\n### Added\n\n- Added feature to allow custom .env.vault path\n\n## 0.3.0\n\n### Added\n\n- Added backward compatibility python version 3.7+\n\n## 0.2.0\n\n### Added\n\n- Added comma separated capability to `DOTENV_KEY`. Add multiple keys to your DOTENV_KEY for use with decryption. Separate with a comma.\n\n## 0.1.1\n\n### Added\n\n- Added support for handling any environment\n\n## 0.1.0\n\n### Added\n\n- Added README and CHANGELOG\n\n## 0.0.9\n\n### Added\n\n- Decrypting .env.vault file when `DOTENV_KEY` is set.\n\n## 0.0.8 and prior\n\nPlease see commit history.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Decrypt .env.vault file.",
"version": "0.6.4",
"project_urls": {
"Homepage": "https://github.com/dotenv-org/python-dotenv-vault"
},
"split_keywords": [
"environment",
"environment variables",
"deployments",
"settings",
"env",
"dotenv",
"configurations",
"python",
"dotenv-vault"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "4715da0534f34df450de4fe2340b203ea833da44e66242de0322ab0d32276ae9",
"md5": "2b03eae07bd050ef7e5710d9b5556c07",
"sha256": "0d3fa2ee44cc5aee1fcb86ddb2eed6ff28e4b5f89a828981a4cdc2f86618fbdd"
},
"downloads": -1,
"filename": "python_dotenv_vault-0.6.4-py3-none-any.whl",
"has_sig": false,
"md5_digest": "2b03eae07bd050ef7e5710d9b5556c07",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 9844,
"upload_time": "2023-11-13T06:23:01",
"upload_time_iso_8601": "2023-11-13T06:23:01.853248Z",
"url": "https://files.pythonhosted.org/packages/47/15/da0534f34df450de4fe2340b203ea833da44e66242de0322ab0d32276ae9/python_dotenv_vault-0.6.4-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "51b1c02f503bb5d36916a539e3ab70ec9800a8565a482add67d6106df16d4bc5",
"md5": "d84b6a4ceb9353205c646a3c7fdc6d20",
"sha256": "b3b928c58fc2846aca0e4399cef353f361c9c7e5a967cb6dffe12619806626d0"
},
"downloads": -1,
"filename": "python-dotenv-vault-0.6.4.tar.gz",
"has_sig": false,
"md5_digest": "d84b6a4ceb9353205c646a3c7fdc6d20",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 12220,
"upload_time": "2023-11-13T06:23:03",
"upload_time_iso_8601": "2023-11-13T06:23:03.584665Z",
"url": "https://files.pythonhosted.org/packages/51/b1/c02f503bb5d36916a539e3ab70ec9800a8565a482add67d6106df16d4bc5/python-dotenv-vault-0.6.4.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-11-13 06:23:03",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "dotenv-org",
"github_project": "python-dotenv-vault",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "python-dotenv",
"specs": [
[
"~=",
"0.21.0"
]
]
},
{
"name": "cryptography",
"specs": [
[
"<",
"42.0.0"
],
[
">",
"41.0.3"
]
]
}
],
"lcname": "python-dotenv-vault"
}
JSON
