Cinder is a CLI secrets manager built in Python
Find a file
cwilson 0318cb639e feat: Added --confirm flag to the set command
Added optional `--confrim` flag to `set` that prompts the user for confirmation on the value for the secret
Also updated the `README.md` to recommend using `pipx` over `pip` for installation.
2026-06-22 11:25:00 -04:00
.claude Initial commit 2026-06-11 13:13:41 +00:00
src/cinder feat: Added --confirm flag to the set command 2026-06-22 11:25:00 -04:00
tests feat: Added --confirm flag to the set command 2026-06-22 11:25:00 -04:00
.claudeignore Initial commit 2026-06-11 13:13:41 +00:00
.gitignore Initial Commit 2026-06-16 13:02:05 -04:00
CLAUDE.md Initial Commit 2026-06-16 13:02:05 -04:00
pyproject.toml feat: Implemented OS Keychain support. 2026-06-19 11:22:13 -04:00
README.md feat: Added --confirm flag to the set command 2026-06-22 11:25:00 -04:00

Cinder

Cinder is a simple secrets manager written in Python that was inspired by projects like direnv and doppler. The main goal of Cinder is to secure your env vars while also making them more portable across different projects.

Installation

Cinder can be installed one of two ways.

  1. Editable dev install:
    • pipx install -e .
  2. Standard install:
    • pipx install .

Note: If using Cinder through WSL, you also need the keyring_wincred package.

  • pipx inject cinder keyring_wincred

Note: Cinder requires Python >= 3.10 to run

Quickstart

  1. cinder set MY_SECRET - The store self-initializes on first call
  2. Create .secrets file in your project root, containing MY_SECRET
  3. cinder run -- your-command - run injects the values from your .secrets file into your-command

Commands

Set:

Sets the value for a secret in the store. This command upserts, so it will update existing secrets values.

Optional Flags:

  • --confirm adds a confirmation prompt to value input for the new secret

Usage Examples:

  • cinder set <NAME>
  • cinder set --confirm <NAME>

delete:

Deletes a secret from the store.

Usage Example:

  • cinder delete <NAME>

list:

Lists the name of all secrets currently in the store. This command returns a list of secret names, or a message if the store is currently empty.

Usage Example:

  • cinder list

run:

Parses .secrets to get needed env vars, loads secrets from the store, and injects them into the process as env vars. It then executes the command and replaces current process via os.execvpe() on Unix, or subprocess.run() on Windows

Optional Flags:

  • --secrets-file specify a specific path to read secrets from.

Usage Examples:

  • cinder run -- docker compose
  • cinder run --secrets-file /path/to/.secrets -- docker compose

.secrets file example

DB_USER
DB_PASSWORD
API_KEY

# Comments are supported
ACCESS_TOKEN

Configuration

The default database path for Cinder is ~/.cinder/store.db.
You can configure the database path by setting the CINDER_DB env var in your shell, or by passing the --db flag per-command with:
cinder --db /path/to/store.db set MY_SECRET

Security Model

  • Secrets are stored, encrypted in a SQLite database at rest.
  • AES-256-GCM encryption is used per secret.
  • HMAC-SHA256 opaque IDs are used to mask the secret names while still providing lookup availability.
    • Name is also stored, AES-256-GCM encrypted, in the database separately as well, to allow for full name retrieval.
  • Key is stored in OS Keychain

Development

To install dev dependencies, you can run the following command:
pip install -e ".[dev]" - This installs pytest for running the test suite.