Manage your application secrets (with Google Cloud KMS)

secrets, kms, crypto
pip install appsecrets==0.7.0



Version License PythonVersions Build

Python 3.6+ library to manage your application secrets with Google Cloud KMS

How are my secrets stored?

The secret store currently supported is Google Cloud KMS. Other secret stores (like EJSON or AWS KMS) may be added (contributions are welcome).

Google KMS

Google KMS is a service that manage encryption keys for you. It also offer API calls to encrypt/decrypt arbitrary payloads with those keys. The Google KMS key is identified by a "resource id".

The secret store is a directory composed of:

  • a special file to store the key id (_google_kms_key_id)
  • files containing plaintext secrets
  • files containing encrypted secrets with an .enc extension
  • files prefixed with _, never encrypted


$ pip install appsecrets

Python API

import appsecrets

secrets = appsecrets.Secrets('secrets/production')
plaintext = secrets.decrypt('secret1')

Command line

Initialize the secret store:

$ appsecrets create secrets/production --google-kms projects/project-1/locations/global/keyRings/keyring1/cryptoKeys/key1

Or manually:

$ mkdir -p secrets/production
$ echo 'projects/project-1/locations/global/keyRings/keyring1/cryptoKeys/key1' > secrets/production/_google_kms_key_id
$ echo 'MYSECRET' > secrets/production/secret1

Check that all secrets are encrypted:

$ appsecrets check secrets/production

Encrypt all the plaintext secrets:

$ appsecrets encrypt secrets/production

Decrypt a single secret:

$ appsecrets decrypt secrets/production secret1


AppSecrets uses DevBuddy.

If you don't want to use DevBuddy, take a look at the file dev.yml to know how the project is setup/linted/tested/released.

  • Install DevBuddy
  • Run bud up to setup the development environment

Run the tests:

$ bud test

Create a new release:

$ bud release 0.4.0

Publish the release:

$ bud publish