Skip to content

thevickypedia/VaultAPI

Repository files navigation

VaultAPI

Lightweight API to store/retrieve secrets to/from an encrypted Database

VaultAPI is designed to be extremely lightweight, secure, and easy to use. It provides cutting-edge security features like AES-GCM, Fernet encryption, and rate limiting all out of the box. It also includes transit encryption to ensure that the secrets are encrypted during transit to protect against man-in-the-middle attacks.

Python

Platform Supported

Platform docker-image

Deployments

docker pypi

coverage dependabot

markdown pages

Pypi Pypi-format Pypi-status

Kick off

Recommendations

Install VaultAPI

python -m pip install vaultapi

Initiate - IDE

import vaultapi

if __name__ == '__main__':
    vaultapi.start()

Initiate - CLI

vaultapi start

Use vaultapi --help for usage instructions.

Environment Variables

Sourcing environment variables from an env file

By default, VaultAPI will look for a .env file in the current working directory.

Mandatory

  • APIKEY - API Key for authentication.
  • SECRET - Secret access key to encrypt/decrypt the secrets in the Datastore.

Optional (with defaults)

  • TRANSIT_KEY_LENGTH - AES key length for transit encryption. Defaults to 32
  • TRANSIT_TIME_BUCKET - Interval for which the transit epoch should remain constant. Defaults to 60
  • AUTHORIZATION_VALIDITY - Time in seconds for which the authorization header is valid. Defaults to 30
  • DATABASE - FilePath to store the secrets' database. Defaults to secrets.db
  • HOST - Hostname for the API server. Defaults to 0.0.0.0 [OR] localhost
  • PORT - Port number for the API server. Defaults to 9010
  • WORKERS - Number of workers for the uvicorn server. Defaults to 1
  • RATE_LIMIT - List of dictionaries with max_requests and seconds to apply as rate limit. Defaults to 5req/2s [AND] 10req/30s

Optional (without defaults)

  • LOG_CONFIG - FilePath or dictionary of key-value pairs for log config.
  • ALLOWED_ORIGINS - List of origins that should be allowed through CORS.

Optional (UI integration)

  • ENABLE_UI - Boolean flag to enable the UI. Defaults to false
  • AUTH_DATABASE - FilePath to store the UI authentication database. Defaults to auth.db
  • TOTP_TOKEN - Secret token for TOTP authentication in the UI. Can be generated using any TOTP generator app like Google Authenticator or Authy.
  • UI_LIFETIME - Time in seconds for which the UI session should remain active. Defaults to 900 (15 minutes)
Auto generate a SECRET value

This value will be used to encrypt/decrypt the secrets stored in the database.

CLI

vaultapi keygen

IDE

from cryptography.fernet import Fernet
print(Fernet.generate_key())

API Functionality

Endpoint Description API method Authorization Header
/health API health endpoint GET N/A
/get-secret Retrieve secrets (comma separated list) GET HMAC-SHA512(apikey+timestamp)
/get-table Get ALL the secrets stored in a table GET HMAC-SHA512(apikey+timestamp)
/list-tables List all available tables GET HMAC-SHA512(apikey+timestamp)
/create-table Create a new table POST HMAC-SHA512(apikey+timestamp)
/put-secret Store or update a secret (key-value pairs) PUT HMAC-SHA512(apikey+secret+timestamp)
/delete-secret Delete a specific secret DELETE HMAC-SHA512(apikey+secret+timestamp)
/delete-table Deletes an existing table DELETE HMAC-SHA512(apikey+secret+timestamp)
/rename-table Renames an existing table PATCH HMAC-SHA512(apikey+secret+timestamp)

Clients

Clients are available in multiple languages to interact with the API server.

Python: VaultAPI-Client-python

Rust: VaultAPI-Client-rust

Checkout decryptors for on-demand scripts to decrypt the secrets retrieved from the API.

Coding Standards

Docstring format: Google
Styling conventions: PEP 8 and isort

Requirement

python -m pip install gitverse

Usage

gitverse-release reverse -f release_notes.rst -t 'Release Notes'

Linting

pre-commit will ensure linting, run pytest, generate runbook & release notes, and validate hyperlinks in ALL markdown files (including Wiki pages)

Requirement

python -m pip install sphinx==5.1.1 pre-commit recommonmark

Usage

pre-commit run --all-files

Pypi Package

pypi-module

https://pypi.org/project/VaultAPI/

Docker Image

made-with-docker-doc

https://hub.docker.com/r/thevickypedia/vaultapi

Runbook

made-with-sphinx-doc

https://thevickypedia.github.io/VaultAPI/

License & copyright

Β© Vignesh Rao

Licensed under the MIT License

About

πŸ” Lightweight API to store/retrieve secrets to/from an encrypted Database

Resources

License

Stars

0 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors