| Name | rest-encrypt JSON |
| Version |
0.1.0
JSON |
| download |
| home_page | None |
| Summary | Lightweight encryption-at-rest for application secrets |
| upload_time | 2025-07-23 19:06:54 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.11 |
| license | None |
| keywords |
encrypt
at
rest
|
| VCS |
|
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# Rest-Encrypt
Rest-Encrypt provides lightweight encryption-at-rest for application secrets on
both Windows and Linux. Secrets are stored on disk encrypted and are decrypted
only at runtime when your application needs them. The project ships a small
Python API and a command line interface.
---
## Features
- Secrets stored as encrypted files (`secrets.enc`) using Fernet (AES-GCM + HMAC).
- Data keys wrapped using platform specific mechanisms:
- **Windows**: DPAPI in user or machine scope.
- **Linux**: scrypt + AES-GCM with a local passphrase file.
- Supports JSON, TOML, INI, `.env` and Python ``dict`` formats.
- Rotate secrets or the wrapping key with a single command.
## Installation
```bash
pip install rest-encrypt
```
---
## Quick Start
```bash
# initialise encrypted secrets from a JSON file
rest-encrypt init --secrets-path secrets.enc \
--wrapped-key-path wrapped.key \
--from-file secrets.json
# decrypt and print the stored secrets
rest-encrypt load --secrets-path secrets.enc \
--wrapped-key-path wrapped.key --print
```
### CLI Usage
```bash
# inject secrets into the environment and run a command
rest-encrypt env-run --secrets-path secrets.enc \
--wrapped-key-path wrapped.key -- \
python my_script.py
# rotate the wrapped data key
rest-encrypt rotate-key --secrets-path secrets.enc \
--wrapped-key-path wrapped.key
```
### Python API
```python
from rest_encrypt import SecretStore
store = SecretStore(
secrets_path="secrets.enc",
wrapped_key_path="wrapped.key",
scope="user", # DPAPI scope on Windows, ignored on Linux
serializer="json",
passphrase_path="/etc/rest-encrypt/passphrase", # Linux only
)
# one-time initialisation
store.init_from_plain({"API_KEY": "123"})
# later, load and use the secrets
secrets = store.load()
store.inject_env(secrets, scope="process")
```
---
## File Layout
Two files are created next to each other:
```
secrets.enc # encrypted secrets
wrapped.key # wrapped data key
```
The ``wrapped.key`` is bound to your operating system. On Linux it is encrypted
with a passphrase file, while on Windows DPAPI protects it.
## Security Notes
See [SECURITY.md](SECURITY.md) for the detailed threat model. In short, the goal
is to protect secrets if the encrypted files are copied elsewhere. Local admin
or root access on the original machine can always recover the data.
---
## License
This project is licensed under the Apache 2.0 License.
Raw data
{
"_id": null,
"home_page": null,
"name": "rest-encrypt",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.11",
"maintainer_email": null,
"keywords": "Encrypt at rest",
"author": null,
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/87/87/912f0d7ecd8cbab8ae66c93cc8e4412be1c6e395055f5ec361517d558e47/rest_encrypt-0.1.0.tar.gz",
"platform": null,
"description": "# Rest-Encrypt\n\nRest-Encrypt provides lightweight encryption-at-rest for application secrets on\nboth Windows and Linux. Secrets are stored on disk encrypted and are decrypted\nonly at runtime when your application needs them. The project ships a small\nPython API and a command line interface.\n\n---\n\n## Features\n\n- Secrets stored as encrypted files (`secrets.enc`) using Fernet (AES-GCM + HMAC).\n- Data keys wrapped using platform specific mechanisms:\n - **Windows**: DPAPI in user or machine scope.\n - **Linux**: scrypt + AES-GCM with a local passphrase file.\n- Supports JSON, TOML, INI, `.env` and Python ``dict`` formats.\n- Rotate secrets or the wrapping key with a single command.\n\n## Installation\n\n```bash\npip install rest-encrypt\n```\n\n---\n\n## Quick Start\n\n```bash\n# initialise encrypted secrets from a JSON file\nrest-encrypt init --secrets-path secrets.enc \\\n --wrapped-key-path wrapped.key \\\n --from-file secrets.json\n\n# decrypt and print the stored secrets\nrest-encrypt load --secrets-path secrets.enc \\\n --wrapped-key-path wrapped.key --print\n```\n\n### CLI Usage\n\n```bash\n# inject secrets into the environment and run a command\nrest-encrypt env-run --secrets-path secrets.enc \\\n --wrapped-key-path wrapped.key -- \\\n python my_script.py\n\n# rotate the wrapped data key\nrest-encrypt rotate-key --secrets-path secrets.enc \\\n --wrapped-key-path wrapped.key\n```\n\n### Python API\n\n```python\nfrom rest_encrypt import SecretStore\n\nstore = SecretStore(\n secrets_path=\"secrets.enc\",\n wrapped_key_path=\"wrapped.key\",\n scope=\"user\", # DPAPI scope on Windows, ignored on Linux\n serializer=\"json\",\n passphrase_path=\"/etc/rest-encrypt/passphrase\", # Linux only\n)\n\n# one-time initialisation\nstore.init_from_plain({\"API_KEY\": \"123\"})\n\n# later, load and use the secrets\nsecrets = store.load()\nstore.inject_env(secrets, scope=\"process\")\n```\n\n---\n\n## File Layout\n\nTwo files are created next to each other:\n\n```\nsecrets.enc # encrypted secrets\nwrapped.key # wrapped data key\n```\n\nThe ``wrapped.key`` is bound to your operating system. On Linux it is encrypted\nwith a passphrase file, while on Windows DPAPI protects it.\n\n## Security Notes\n\nSee [SECURITY.md](SECURITY.md) for the detailed threat model. In short, the goal\nis to protect secrets if the encrypted files are copied elsewhere. Local admin\nor root access on the original machine can always recover the data.\n\n---\n\n## License\n\nThis project is licensed under the Apache 2.0 License.\n",
"bugtrack_url": null,
"license": null,
"summary": "Lightweight encryption-at-rest for application secrets",
"version": "0.1.0",
"project_urls": null,
"split_keywords": [
"encrypt",
"at",
"rest"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "9cf05039568a4440487bc52307ce73d82b65876618b2cad9bff5e544354392e1",
"md5": "08fdbeabcf82adfc1059e7212335649f",
"sha256": "8df53a6ddf3726440689a4f454629733da0020ba748588cd4f32ce0af73bb17c"
},
"downloads": -1,
"filename": "rest_encrypt-0.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "08fdbeabcf82adfc1059e7212335649f",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.11",
"size": 17030,
"upload_time": "2025-07-23T19:06:53",
"upload_time_iso_8601": "2025-07-23T19:06:53.234617Z",
"url": "https://files.pythonhosted.org/packages/9c/f0/5039568a4440487bc52307ce73d82b65876618b2cad9bff5e544354392e1/rest_encrypt-0.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "8787912f0d7ecd8cbab8ae66c93cc8e4412be1c6e395055f5ec361517d558e47",
"md5": "bbf82e8a8b278392a956d377be5da3b3",
"sha256": "1f6ab4f73c67cb3db1c3ffc4e70c0551e5e2f1de4dfc402120f2c45f548dd13d"
},
"downloads": -1,
"filename": "rest_encrypt-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "bbf82e8a8b278392a956d377be5da3b3",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.11",
"size": 15346,
"upload_time": "2025-07-23T19:06:54",
"upload_time_iso_8601": "2025-07-23T19:06:54.554149Z",
"url": "https://files.pythonhosted.org/packages/87/87/912f0d7ecd8cbab8ae66c93cc8e4412be1c6e395055f5ec361517d558e47/rest_encrypt-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-23 19:06:54",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "rest-encrypt"
}
