# `secret`
### A [Rune](https://github.com/google/rune)-style type for sensitive values in Python
[](https://pypi.org/project/secret-type)
[](https://pypi.org/project/secret-type)
[](https://python-secret-type.readthedocs.io/en/latest/?badge=latest)
---
`secret-type` provides a convenient type (`secret`) to indicate that a value is considered sensitive, similar to the `secret` type in Google's [Rune Lang](https://github.com/google/rune).
## Installation
```console
pip install secret-type
```
## Usage
```pycon
>>> from secret_type import secret
>>> password = secret("a very secret value") # Secrets can be any primitive value
>>> print(password) # Runtime exceptions prevent logging
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "secret_type/containers/secret.py", line 91, in __str__
raise SecretException()
secret_type.exceptions.SecretException: Secrets cannot be examined
>>> better_password = password + "!" # Operations derive new secrets
>>> >>> type(better_password)
<class 'secret_type.sequence.SecretStr'>
>>> better_password.dangerous_apply(print)
a very secret value!
```
# Features
- When marked as secret, values cannot be printed or logged; attempting to do so will raise an exception.
- Secrets are "viral"; any operation on a secret will also return a secret.
- Comparison operations with a `secret` are guaranteed to be constant-time.This helps avoid timing attacks.
- A `bool` derived from a secret cannot be used for control flow.
- Secrets cannot be used as indexes or keys for containers.
- Internally, the underlying value is stored encrypted in memory, and is only decrypted when deriving a new value.
- As soon as secrets are out of scope, the Garbage Collector is encouraged to immediately collect them.
# Docs
For complete docs, see the [Quickstart](https://python-secret-type.readthedocs.io/en/latest/quickstart/).
# Comparison to Rune
Rune makes the following guarantees about a `secret`:
> - All operations on secrets occur in constant time, minimizing timing side-channel leakage.
> - Secrets cannot be used in conditional branches or memory addressing.
> - Even speculative branching and indexing on secrets are caught at compile-time to avoid Specter/Meltdown.
> - Secrecy is sticky: any value in part derived from a secret is considered secret until "revealed".
> - Secrets are automatically zeroed when no longer used
This projects attempts to do something similar, but with the runtime constraints of Python.
## License
`secret-type` is distributed under the terms of the [MIT](https://spdx.org/licenses/MIT.html) license.
Raw data
{
"_id": null,
"home_page": null,
"name": "secret-type",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": null,
"keywords": "secrets,security,sensitive,sensitive-data,sensitive-information,sensitive-values,type-hints,types,typing",
"author": null,
"author_email": "Yasyf Mohamedali <yasyfm@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/10/f3/460f413c1a711282ea751490126cfee13bd1be3ab482557365c85370ada4/secret_type-0.3.0.tar.gz",
"platform": null,
"description": "# `secret`\n### A [Rune](https://github.com/google/rune)-style type for sensitive values in Python\n\n[](https://pypi.org/project/secret-type)\n[](https://pypi.org/project/secret-type)\n[](https://python-secret-type.readthedocs.io/en/latest/?badge=latest)\n\n---\n\n`secret-type` provides a convenient type (`secret`) to indicate that a value is considered sensitive, similar to the `secret` type in Google's [Rune Lang](https://github.com/google/rune).\n\n## Installation\n\n```console\npip install secret-type\n```\n\n## Usage\n\n```pycon\n>>> from secret_type import secret\n>>> password = secret(\"a very secret value\") # Secrets can be any primitive value\n\n>>> print(password) # Runtime exceptions prevent logging\nTraceback (most recent call last):\n File \"<stdin>\", line 1, in <module>\n File \"secret_type/containers/secret.py\", line 91, in __str__\n raise SecretException()\nsecret_type.exceptions.SecretException: Secrets cannot be examined\n\n>>> better_password = password + \"!\" # Operations derive new secrets\n>>> >>> type(better_password)\n<class 'secret_type.sequence.SecretStr'>\n\n>>> better_password.dangerous_apply(print)\na very secret value!\n```\n\n# Features\n - When marked as secret, values cannot be printed or logged; attempting to do so will raise an exception.\n - Secrets are \"viral\"; any operation on a secret will also return a secret.\n - Comparison operations with a `secret` are guaranteed to be constant-time.This helps avoid timing attacks.\n - A `bool` derived from a secret cannot be used for control flow.\n - Secrets cannot be used as indexes or keys for containers.\n - Internally, the underlying value is stored encrypted in memory, and is only decrypted when deriving a new value.\n - As soon as secrets are out of scope, the Garbage Collector is encouraged to immediately collect them.\n\n# Docs\n\nFor complete docs, see the [Quickstart](https://python-secret-type.readthedocs.io/en/latest/quickstart/).\n# Comparison to Rune\nRune makes the following guarantees about a `secret`:\n\n> - All operations on secrets occur in constant time, minimizing timing side-channel leakage.\n> - Secrets cannot be used in conditional branches or memory addressing.\n> - Even speculative branching and indexing on secrets are caught at compile-time to avoid Specter/Meltdown.\n> - Secrecy is sticky: any value in part derived from a secret is considered secret until \"revealed\".\n> - Secrets are automatically zeroed when no longer used\n\nThis projects attempts to do something similar, but with the runtime constraints of Python.\n\n## License\n\n`secret-type` is distributed under the terms of the [MIT](https://spdx.org/licenses/MIT.html) license.\n",
"bugtrack_url": null,
"license": null,
"summary": "A Rune-style secret type for sensitive values in Python.",
"version": "0.3.0",
"project_urls": {
"Documentation": "https://python-secret-type.readthedocs.io",
"Issues": "https://github.com/yasyf/secret-type/issues",
"Source": "https://github.com/yasyf/secret-type"
},
"split_keywords": [
"secrets",
"security",
"sensitive",
"sensitive-data",
"sensitive-information",
"sensitive-values",
"type-hints",
"types",
"typing"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "15b5e9c55a2ec41644bbc1b386e535a7c2dc56fd82015df68f2d1e9c76601419",
"md5": "6d16b02d0ccd01b43f5ab33fb2c1cb52",
"sha256": "44aa14b99fd274b7f58d3a3ea7ec42f96833f2e190464e85c2c903805b4f471c"
},
"downloads": -1,
"filename": "secret_type-0.3.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "6d16b02d0ccd01b43f5ab33fb2c1cb52",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 14306,
"upload_time": "2022-11-29T11:34:36",
"upload_time_iso_8601": "2022-11-29T11:34:36.786297Z",
"url": "https://files.pythonhosted.org/packages/15/b5/e9c55a2ec41644bbc1b386e535a7c2dc56fd82015df68f2d1e9c76601419/secret_type-0.3.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "10f3460f413c1a711282ea751490126cfee13bd1be3ab482557365c85370ada4",
"md5": "ea19037eaf38f98ea62ba6eebf877ffe",
"sha256": "1cda5a9d6b47eb963a9a70431165759cbb90d4260b13a0649d6fdffc74c2f7ff"
},
"downloads": -1,
"filename": "secret_type-0.3.0.tar.gz",
"has_sig": false,
"md5_digest": "ea19037eaf38f98ea62ba6eebf877ffe",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 15371,
"upload_time": "2022-11-29T11:34:38",
"upload_time_iso_8601": "2022-11-29T11:34:38.683550Z",
"url": "https://files.pythonhosted.org/packages/10/f3/460f413c1a711282ea751490126cfee13bd1be3ab482557365c85370ada4/secret_type-0.3.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2022-11-29 11:34:38",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "yasyf",
"github_project": "secret-type",
"github_not_found": true,
"lcname": "secret-type"
}
JSON
