A Rune-style secret type for sensitive values in Python.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for yasyf from gravatar.com yasyf

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

Author: Yasyf Mohamedali

Tags secrets, security, sensitive, sensitive-data, sensitive-information, sensitive-values, type-hints, types, typing

Requires: Python >=3.7

Classifiers

Project description

secret

A Rune-style type for sensitive values in Python

PyPI - Version PyPI - Python Version Documentation Status

secret-type provides a convenient type (secret) to indicate that a value is considered sensitive, similar to the secret type in Google's Rune Lang.

Installation

pip install secret-type

Usage

>>> from secret_type import secret
>>> password = secret("a very secret value") # Secrets can be any primitive value

>>> print(password) # Runtime exceptions prevent logging
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "secret_type/containers/secret.py", line 91, in __str__
    raise SecretException()
secret_type.exceptions.SecretException: Secrets cannot be examined

>>> better_password = password + "!" # Operations derive new secrets
>>> >>> type(better_password)
<class 'secret_type.sequence.SecretStr'>

>>> better_password.dangerous_apply(print)
a very secret value!

Features

  • When marked as secret, values cannot be printed or logged; attempting to do so will raise an exception.
  • Secrets are "viral"; any operation on a secret will also return a secret.
  • Comparison operations with a secret are guaranteed to be constant-time.This helps avoid timing attacks.
  • A bool derived from a secret cannot be used for control flow.
  • Secrets cannot be used as indexes or keys for containers.
  • Internally, the underlying value is stored encrypted in memory, and is only decrypted when deriving a new value.
  • As soon as secrets are out of scope, the Garbage Collector is encouraged to immediately collect them.

Docs

For complete docs, see the Quickstart.

Comparison to Rune

Rune makes the following guarantees about a secret:

  • All operations on secrets occur in constant time, minimizing timing side-channel leakage.
  • Secrets cannot be used in conditional branches or memory addressing.
  • Even speculative branching and indexing on secrets are caught at compile-time to avoid Specter/Meltdown.
  • Secrecy is sticky: any value in part derived from a secret is considered secret until "revealed".
  • Secrets are automatically zeroed when no longer used

This projects attempts to do something similar, but with the runtime constraints of Python.

License

secret-type is distributed under the terms of the MIT license.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for yasyf from gravatar.com yasyf

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

Author: Yasyf Mohamedali

Tags secrets, security, sensitive, sensitive-data, sensitive-information, sensitive-values, type-hints, types, typing

Requires: Python >=3.7

Classifiers

Release history Release notifications | RSS feed

This version

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secret_type-0.3.0.tar.gz (15.4 kB view hashes)

Uploaded Source

Built Distribution

secret_type-0.3.0-py3-none-any.whl (14.3 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page