Almost all applications have configuration of some kind, and often this config is sensitive - database passwords, SMTP account details, API keys etc.
These days it's common to use public source control; which means you can no longer store your application's sensitive config with your code.
Sesame provides a simple way to encrypt (and decrypt) your application's config so it can be safely stored in public source control.
Sesame leans on a little known project called keyczar, which was originally built by members of the Google Security Team.
Keyczar in turn builds upon pycrypto, and aims to provide sane defaults for your crypto.
To install sesame, simply:
$ pip install sesame
The interface to Sesame is intended to be as simple as possible. There are only two commands: encrypt
and decrypt
and each of these has only two parameters available: config
and keyfile
.
When calling encrypt
the keyfile parameter is optional - if you do not supply it, Sesame will prompt you to generate a new key.
$ sesame -h
usage: sesame encrypt [-h] -c CONFIG [-k KEYFILE]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Path to your app config
-k KEYFILE, --keyfile KEYFILE
Path to keyczar encryption key