Project image

API between repository secrets and nefarious individuals

About the project:

Locksmith acts as a liaison between precious client secrets and public version control. Locksmith uses GPG to encrypt secrets (API keys, database passwords, etc.). Rather than storing plaintext passwords as hardcoded values in your code, locksmith exposes a simple API for decrypting your passwords and running your app.

To keep development unencumbered, locksmith only requires your password when you run your app, not every time you access a secret. In addition, tools like pinentry enable you to cache your password locally, so you only ever have to enter your password once, if you desire.

This is one of my favorite projects, I use it all over willcarh.art 🤗

Technology used:


View on GitHub View on PyPI


locksmith acts as an interface between secrets and the Python code using them.

A simple use case

Consider the following scenario: Your cool new app requires a slick, unique API key to run. Perhaps your framework requires you to put this API key in a manifest.json file. However, your manifest file(s) need to be checked into GitHub, thus exposing your precious API key. locksmith provides a layer of security to prevent you from having to type out your secrets in plaintext anywhere in your repository.

Easy-to-use API

Once you've installed and set up locksmith (see here for instructions), locksmith exposes a simple API:

In your code, replace:

api_key = D4kTnNOp5lwKYJGwHkai


lock = Locksmith("your_username")
api_key = lock.get_secret('API_KEY')

It's that easy!

locksmith uses GPG to encrypt secrets, so you know they'll be safe.