- Python 100%
Added optional `--confrim` flag to `set` that prompts the user for confirmation on the value for the secret Also updated the `README.md` to recommend using `pipx` over `pip` for installation. |
||
|---|---|---|
| .claude | ||
| src/cinder | ||
| tests | ||
| .claudeignore | ||
| .gitignore | ||
| CLAUDE.md | ||
| pyproject.toml | ||
| README.md | ||
Cinder
Cinder is a simple secrets manager written in Python that was inspired by projects like direnv and doppler. The main goal of Cinder is to secure your env vars while also making them more portable across different projects.
Installation
Cinder can be installed one of two ways.
- Editable dev install:
pipx install -e .
- Standard install:
pipx install .
Note: If using Cinder through WSL, you also need the keyring_wincred package.
pipx inject cinder keyring_wincred
Note: Cinder requires Python >= 3.10 to run
Quickstart
cinder set MY_SECRET- The store self-initializes on first call- Create
.secretsfile in your project root, containingMY_SECRET cinder run -- your-command-runinjects the values from your.secretsfile intoyour-command
Commands
Set:
Sets the value for a secret in the store. This command upserts, so it will update existing secrets values.
Optional Flags:
--confirmadds a confirmation prompt to value input for the new secret
Usage Examples:
cinder set <NAME>cinder set --confirm <NAME>
delete:
Deletes a secret from the store.
Usage Example:
cinder delete <NAME>
list:
Lists the name of all secrets currently in the store. This command returns a list of secret names, or a message if the store is currently empty.
Usage Example:
cinder list
run:
Parses .secrets to get needed env vars, loads secrets from the store, and injects them into the process as env vars. It then executes the command and replaces current process via os.execvpe() on Unix, or subprocess.run() on Windows
Optional Flags:
--secrets-filespecify a specific path to read secrets from.
Usage Examples:
cinder run -- docker composecinder run --secrets-file /path/to/.secrets -- docker compose
.secrets file example
DB_USER
DB_PASSWORD
API_KEY
# Comments are supported
ACCESS_TOKEN
Configuration
The default database path for Cinder is ~/.cinder/store.db.
You can configure the database path by setting the CINDER_DB env var in your shell, or by passing the --db flag per-command with:
cinder --db /path/to/store.db set MY_SECRET
Security Model
- Secrets are stored, encrypted in a SQLite database at rest.
- AES-256-GCM encryption is used per secret.
- HMAC-SHA256 opaque IDs are used to mask the secret names while still providing lookup availability.
- Name is also stored, AES-256-GCM encrypted, in the database separately as well, to allow for full name retrieval.
- Key is stored in OS Keychain
Development
To install dev dependencies, you can run the following command:
pip install -e ".[dev]" - This installs pytest for running the test suite.