easy-vault - Secure vault files that are easy to use¶

The easy-vault Python package provides commands for encrypting and decrypting vault files that can be in any format. It provides for programmatic access to encrypted vault files from Python programs, so that the file itself can stay encrypted in the file system but can still be used by the program in clear text.

At first use on a particular vault file, the encryption command prompts for a vault password and stores that in the keyring service of your local system using the keyring package. Subsequent encryption and decryption of the vault file will then use the password from the keyring, avoiding any further password prompts. Programmatic access can also be done with the password from the keyring.

The encryption of the vault files is implemented using the symmetric key functionality of the cryptography package.

One use case for this package is for example the daily work with programs that need the secrets from a vault to access some server or service. For that, the program in question needs to have integrated with this package.

Another use case is testing in CI/CD systems: The encrypted vault file is stored in a repository and the password to access it is put as a secret into the CI/CD system (most CI/CD systems these days support storing secrets in a secure way). The test program uses the vault password from the CI/CD secret to get access to the vault to get to the secrets that are needed to perform the tests. One could have put the vault secrets directly into the CI/CD system, but if the vault file is also used for local work, or if the number of secrets is large or has a complex structure, it is better to have the indirection of the vault file.

The vault files stay encrypted in the file system while they are used, and are only decrypted and re-encrypted in the file system when secrets need to be updated/added/removed.

This package allows putting at rest the habit of having clear text files that contain passwords, API keys and other secrets, and allows transitioning to a secure but still easy to use approach for managing such secrets.

Why a new vault implementation: The ansible-vault command provided the functionality we needed and was originally used (except for the keyring storage which we added). However, Ansible does not support native Windows and that was a requirement. Also, the ansible-vault command requires installing the entire Ansible which is quite large. Searching Pypi for suitable vaults that a) have commands for encrypting and decrypting and b) provide programmatic access to the encrypted file, did not reveal anything suitable.

Usage¶

Supported environments¶

The easy-vault package is supported in these environments:

Operating Systems: Linux, macOS / OS-X, native Windows, Linux subsystem in Windows, UNIX-like environments in Windows.
Python: 2.7, 3.4, and higher

Installation¶

The following command installs the easy-vault package and its prerequisite packages into the active Python environment:

$ pip install easy-vault

Managing the vault file¶

The easy-vault package comes with a command named “easy-vault” that is used to encrypt or decrypt the vault file in place:

$ easy-vault encrypt VAULTFILE
$ easy-vault decrypt VAULTFILE

This command displays self-explanatory help, e.g.:

$ easy-vault --help
$ easy-vault encrypt --help
$ easy-vault decrypt --help
$ easy-vault check-keyring --help

Accessing the secrets in a program¶

The easy-vault package provides programmatic access to the vault file, regardless of whether the vault file is currently encrypted or decrypted. See the API Reference for details.

The following Python code demonstrates how to access the secrets in a vault file in YAML format:

import easy_vault

vault_file = 'examples/vault.yml'  # Path name of Ansible vault file

password = easy_vault.get_password(vault_file)
vault = easy_vault.EasyVault(vault_file, password)
try:
    vault_obj = vault.get_yaml()
except easy_vault.EasyVaultException as exc:
    . . . # handle error
easy_vault.set_password(vault_file, password)

myserver_nick = 'myserver1'        # Nickname of a secret in the vault file

myserver_secrets = vault_obj['secrets'][myserver_nick]

session = MySession(               # A fictitious session class
    host=myserver_secrets['host'],            # 10.11.12.13
    username=myserver_secrets['username'],    # myuser1
    password=myserver_secrets['password'])    # mypass1

# Do something in the server session
. . .

Here is the vault file ‘examples/vault.yml’ that is used in the example code:

# Example Ansible vault file

secrets:

  myserver1:
    host: 10.11.12.13
    username: myuser1
    password: mypass1

  myserver2:
    host: 10.11.12.14
    username: myuser2
    password: mypass2

The vault file does not need to be in YAML format; there are access functions for accessing its raw content as a Byte string and as a Unicode string, too.

Keyring service¶

The easy-vault package accesses the keyring service of the local system via the keyring package. That package supports a number of different keyring services and can be configured to use alternate keyring services.

By default, the following keyring services are active and will be used by the keyring package:

On macOS: Keychain
On Linux: depends
On Windows: Credential Locker

API Reference¶

This section describes the API of the easy-vault package. The API is kept stable using the compatibility rules defined for semantic versioning.

Any functions not described in this section are considered internal and may change incompatibly without warning.

EasyVault class¶

class easy_vault.EasyVault(filepath, password=None)[source]¶

A vault file that can be encrypted and decrypted.

An object of this class is tied to a single vault file and a single vault password.

There are no requirements for the format of the vault file. It may be a text file or a binary file (but the typical case for a vault file would be a text file, e.g. in YAML format).

There is no size limit to the vault file. However, because the complete vault file is read into memory in one chunk, this implementation is not well suited for handling huge files. It is really meant for vault files: Files that keep secrets, but not huge data.

The password may be provided or not (None). If the password is provided, it is converted to a symmetric key which is then used for encrypting and decrypting the vault file itself and for decrypting the vault file content upon access. If the password is not provided, encryption and decryption of the vault file is rejected and access to the vault file content requires that the vault file is in the decrypted state.

The encryption package used by this class is pluggable. The default implementation uses the symmetric key support from the cryptography package.

Users who whish to use a different encryption package can do so by subclassing this class and implementing the following methods to use a different encryption package:

generate_key() - Calculate a symmetric key from a password.
encrypt_data() - Encrypt clear data with a symmetric key.
decrypt_data() - Decrypt encrypted data with a symmetric key.

Parameters

filepath (unicode string) – Path name of the vault file.
password (unicode string) – Password for encrypting and decrypting the vault file, or None if not provided.

Raises

TypeError – Type error in arguments or in return of pluggable encryption function.

Attributes:

`filepath`	Path name of the vault file.
`password_provided`	Indicates whether a vault password was provided.

Methods:

`is_encrypted`()	Test whether the vault file is encrypted by easy-vault.
`encrypt`()	Encrypt the vault file.
`decrypt`()	Decrypt the vault file.
`get_bytes`()	Get the decrypted content of the vault file as a Byte sequence.
`get_text`()	Get the decrypted content of the vault file as a Unicode string.
`get_yaml`()	Get the decrypted content of a YAML-formatted vault file as a YAML object.
`generate_key`(password)	Encryption implementation: Calculate a symmetric key from a password.
`encrypt_data`(clear_data, key)	Encryption implementation: Encrypt clear data with a symmetric key.
`decrypt_data`(encrypted_data, key)	Encryption implementation: Decrypt encrypted data with a symmetric key.

property filepath¶

Path name of the vault file.

Type: unicode string)

property password_provided¶

Indicates whether a vault password was provided.

Type: bool

is_encrypted()[source]¶

Test whether the vault file is encrypted by easy-vault.

This is done by checking for the unique easy-vault header in the first line of the vault file.

This method does not require a vault password to be provided.

Returns: Boolean indicating whether the vault file is encrypted by easy-vault.
Return type: bool
Raises: EasyVaultFileError – I/O error with the vault file.

encrypt()[source]¶

Encrypt the vault file.

The vault file must be decrypted (i.e. not encrypted by easy-vault).

This method requires a vault password to be provided.

Raises

EasyVaultFileError – I/O error with the vault file or a temporary file.
EasyVaultEncryptError – Error encrypting the vault file.

decrypt()[source]¶

Decrypt the vault file.

The vault file must be encrypted by easy-vault.

This method requires a vault password to be provided.

Raises

EasyVaultFileError – I/O error with the vault file or a temporary file.
EasyVaultDecryptError – Error decrypting the vault file.

get_bytes()[source]¶

Get the decrypted content of the vault file as a Byte sequence.

The vault file may be in the encrypted or decrypted state and remains unchanged.

If the vault file is in the encrypted state, the object this method is called on must have been created with a vault password.

Returns

Decrypted content of the vault file, as a Byte sequence.

Return type

byte string

Raises

EasyVaultFileError – I/O error with the vault file.
EasyVaultDecryptError – Error decrypting the vault file.

get_text()[source]¶

Get the decrypted content of the vault file as a Unicode string.

The vault file may be in the encrypted or decrypted state and remains unchanged.

If the vault file is in the encrypted state, the object this method is called on must have been created with a vault password.

Returns

Decrypted content of the vault file, as a Unicode string.

Return type

unicode string

Raises

EasyVaultFileError – I/O error with the vault file.
EasyVaultDecryptError – Error decrypting the vault file.

get_yaml()[source]¶

Get the decrypted content of a YAML-formatted vault file as a YAML object.

The vault file may be in the encrypted or decrypted state and remains unchanged.

If the vault file is in the encrypted state, the object this method is called on must have been created with a vault password.

Returns

Top-level object of the YAML-formatted vault file.

Return type

dict or list

Raises

EasyVaultFileError – I/O error with the vault file or a temporary file.
EasyVaultYamlError – YAML syntax error in the vault file.
EasyVaultDecryptError – Error decrypting the vault file.

static generate_key(password)[source]¶

Encryption implementation: Calculate a symmetric key from a password.

The key must match the requirements of the encryption package that is used in the encrypt_data() and decrypt_data() methods.

Using this method repeatedly on the same password must result in the same key.

This method can be overwritten by users to use a different encryption package. Its default implementation uses the cryptography package, and calculates the key as a 256-bit key using 10000 iterations of SHA256 on the password, using a fixed salt.

Parameters: password (unicode string) – Password for encrypting and decrypting the vault file.
Returns: The calculated key.
Return type: byte string

static encrypt_data(clear_data, key)[source]¶

Encryption implementation: Encrypt clear data with a symmetric key.

This method can be overwritten by users to use a different encryption package. Its default implementation uses the cryptography.fernet encryption package.

Parameters

clear_data (byte string) – The clear data to be encrypted.
key (byte string) – The symmetric key to be used for the encryption.

Returns

The encrypted data.

Return type

byte string

decrypt_data(encrypted_data, key)[source]¶

Encryption implementation: Decrypt encrypted data with a symmetric key.

This method can be overwritten by users to use a different encryption package. Its default implementation uses the cryptography.fernet encryption package.

Parameters

encrypted_data (byte string) – The encrypted data to be decrypted.
key (byte string) – The encryption key to be used.

Returns

The clear data.

Return type

byte string

Raises

EasyVaultDecryptError – Error decrypting the vault file.

KeyRingLib class¶

class easy_vault.KeyRingLib[source]¶

Access to the keyring service of the local system for storing vault passwords.

An object of this class is tied to the keyring service and can store and retrieve multiple vault passwords.

The keyring items that are created have a fixed service/app name that starts with ‘easy_vault’. There is one keyring item for each vault file.

For details on the keyring service, see section Keyring service.

Methods:

`get_password`(filepath)	Get the password for a vault file from the keyring service.
`set_password`(filepath, password)	Set the password for a vault file in the keyring service.
`is_available`()	Indicate whether the keyring service is available on the local system.
`check_available`()	Check whether the keyring service is available on the local system.
`keyring_service`()	Return the service/app name that is used for the keyring item.
`keyring_username`(filepath)	Return the user/account name that is used for the keyring item.

get_password(filepath)[source]¶

Get the password for a vault file from the keyring service.

If the keyring service does not store a password for the vault file, None is returned.

Parameters

filepath (unicode string) – Path name of the vault file. It will be normalized to identify the keyring item for the vault file.

Returns

Password for the vault file, or None.

Return type

unicode string

Raises

KeyRingNotAvailable – No keyring service available.
KeyRingError – An error happend in the keyring service.

set_password(filepath, password)[source]¶

Set the password for a vault file in the keyring service.

Parameters

filepath (unicode string) – Path name of the vault file. It will be normalized to identify the keyring item for the vault file.
password (unicode string) – Password for the vault file.

Raises

KeyRingNotAvailable – No keyring service available.
KeyRingError – An error happend in the keyring service.

is_available()[source]¶

Indicate whether the keyring service is available on the local system.

This function reports this only as a boolean. If information about the reasons for not being available is needed, use the check_available() method instead.

Returns: Keyring service is available on the local system.
Return type: bool

static check_available()[source]¶

Check whether the keyring service is available on the local system.

If available, the method returns.

If not available, an exception is raised with a message that provides some information about the keyring configuration.

Raises: KeyRingNotAvailable – No keyring service available.

static keyring_service()[source]¶

Return the service/app name that is used for the keyring item.

That name is fixed within easy-vault and starts with ‘easy_vault’.

Returns: keyring service/app name.
Return type: unicode string

static keyring_username(filepath)[source]¶

Return the user/account name that is used for the keyring item.

That name is calculated from the normalized vault file path, such that each different vault file uses a different item in the keyring service.

Parameters: filepath (unicode string) – Path name of the vault file. It will be normalized to identify the keyring item for the vault file.
Returns: keyring user/account name.
Return type: unicode string

Password functions¶

easy_vault.get_password(filepath, use_keyring=True, use_prompting=True, verbose=False, echo=<built-in function print>)[source]¶

Get the password for a vault file from the keyring service and if not found there, by interactively prompting for it.

The use of the keyring service and the use of password prompting can be individually disabled, but at least one of them must be enabled.

Note that the function may still return no password, in case prompting is disabled and the keyring service did not have an item for the vault file stored.

This is a convenience function that uses the password methods of the KeyRingLib class.

Parameters

filepath (unicode string) – Path name of the vault file. It will be normalized to identify the keyring item for the vault file.
use_keyring (bool) – Enable the use of the keyring service for getting the password.
use_prompting (bool) – Enable the use of password prompting for getting the password.
verbose (bool) – Print additional messages about where the password comes from.
echo (function) – Print function to be used for the additional messages in verbose mode.

Returns

Password for the vault file, or None.

Return type

unicode string

Raises

ValueError – Use of keyring service and use of password prompting were both disabled.
KeyRingNotAvailable – No keyring service available.
KeyRingError – An error happend in the keyring service.

easy_vault.set_password(filepath, password, use_keyring=True, verbose=False, echo=<built-in function print>)[source]¶

Set the password for a vault file in the keyring service.

For consistency with get_password(), the use of the keyring service can be disabled, in which case the function does nothing.

This is a convenience function that uses the password methods of the KeyRingLib class.

Parameters

filepath (unicode string) – Path name of the vault file. It will be normalized to identify the keyring item for the vault file.
password (unicode string) – Password for the vault file.
use_keyring (bool) – Enable the use of the keyring service for setting the password.
verbose (bool) – Print additional messages about changes to the password in the keyring service.
echo (function) – Print function to be used for the additional messages in verbose mode.

Raises

KeyRingNotAvailable – No keyring service available.
KeyRingError – An error happend in the keyring service.

Exception classes¶

class easy_vault.EasyVaultException[source]¶

Base exception for all exceptions raised by the EasyVault class.

Derived from Exception.

class easy_vault.EasyVaultFileError[source]¶

Exception indicating file I/O errors with a vault file or with a temporary file (that is used when writing the vault file).

Derived from EasyVaultException.

class easy_vault.EasyVaultDecryptError[source]¶

Exception indicating that an encrypted vault file could not be decrypted.

Derived from EasyVaultException.

class easy_vault.EasyVaultEncryptError[source]¶

Exception indicating that a decrypted vault file could not be encrypted.

Derived from EasyVaultException.

class easy_vault.EasyVaultYamlError[source]¶

Exception indicating that a vault file in YAML format has a format issue.

Derived from EasyVaultException.

class easy_vault.KeyRingException[source]¶

Base exception for all exceptions raised by the KeyRingLib class.

Derived from Exception.

class easy_vault.KeyRingNotAvailable[source]¶

Exception indicating that the keyring service is not available.

Derived from KeyRingException.

class easy_vault.KeyRingError[source]¶

Exception indicating that an error happend in the keyring service.

Derived from KeyRingException.

Package version¶

easy_vault.__version__ = '0.6.0'¶

The full version of this package including any development levels, as a string.

Possible formats for this version string are:

“M.N.P.dev1”: Development level 1 of a not yet released version M.N.P
“M.N.P”: A released version M.N.P

Development¶

This section only needs to be read by developers of the easy-vault project, including people who want to make a fix or want to test the project.

Repository¶

The repository for the easy-vault project is on GitHub:

https://github.com/andy-maier/easy-vault

Setting up the development environment¶

If you have write access to the Git repo of this project, clone it using its SSH link, and switch to its working directory:
```
$ git clone git@github.com:andy-maier/easy-vault.git
$ cd easy-vault
```
If you do not have write access, create a fork on GitHub and clone the fork in the way shown above.
It is recommended that you set up a virtual Python environment. Have the virtual Python environment active for all remaining steps.
Install the project for development. This will install Python packages into the active Python environment, and OS-level packages:
```
$ make develop
```
This project uses Make to do things in the currently active Python environment. The command:
```
$ make
```
displays a list of valid Make targets and a short description of what each target does.

Building the documentation¶

The ReadTheDocs (RTD) site is used to publish the documentation for the project package at https://easy-vault.readthedocs.io/

This page is automatically updated whenever the Git repo for this package changes the branch from which this documentation is built.

In order to build the documentation locally from the Git work directory, execute:

$ make builddoc

The top-level document to open with a web browser will be build_doc/html/docs/index.html.

Testing¶

All of the following make commands run the tests in the currently active Python environment. Depending on how the easy-vault package is installed in that Python environment, either the directories in the main repository directory are used, or the installed package. The test case files and any utility functions they use are always used from the tests directory in the main repository directory.

The tests directory has the following subdirectory structure:

tests
 +-- unittest            Unit tests

There are multiple types of tests:

Unit tests

These tests can be run standalone, and the tests validate their results automatically.

They are run by executing:
```
$ make test
```
Test execution can be modified by a number of environment variables, as documented in the make help (execute make help).

An alternative that does not depend on the makefile and thus can be executed from the source distribution archive, is:
```
$ ./setup.py test
```
Options for pytest can be passed using the --pytest-options option.

Contributing¶

Third party contributions to this project are welcome!

In order to contribute, create a Git pull request, considering this:

Test is required.
Each commit should only contain one “logical” change.
A “logical” change should be put into one commit, and not split over multiple commits.
Large new features should be split into stages.
The commit message should not only summarize what you have done, but explain why the change is useful.

What comprises a “logical” change is subject to sound judgement. Sometimes, it makes sense to produce a set of commits for a feature (even if not large). For example, a first commit may introduce a (presumably) compatible API change without exploitation of that feature. With only this commit applied, it should be demonstrable that everything is still working as before. The next commit may be the exploitation of the feature in other components.

For further discussion of good and bad practices regarding commits, see:

Further rules:

The following long-lived branches exist and should be used as targets for pull requests:
- master - for next functional version
- stable_$MN - for fix stream of released version M.N.
We use topic branches for everything!
- Based upon the intended long-lived branch, if no dependencies
- Based upon an earlier topic branch, in case of dependencies
- It is valid to rebase topic branches and force-push them.
We use pull requests to review the branches.
- Use the correct long-lived branch (e.g. master or stable_0.2) as a merge target.
- Review happens as comments on the pull requests.
- At least one approval is required for merging.
GitHub meanwhile offers different ways to merge pull requests. We merge pull requests by rebasing the commit from the pull request.

Releasing a version to PyPI¶

This section describes how to release a version of easy-vault to PyPI.

It covers all variants of versions that can be released:

Releasing a new major version (Mnew.0.0) based on the master branch
Releasing a new minor version (M.Nnew.0) based on the master branch
Releasing a new update version (M.N.Unew) based on the stable branch of its minor version

The description assumes that the andy-maier/easy-vault Github repo is cloned locally and its upstream repo is assumed to have the Git remote name origin.

Any commands in the following steps are executed in the main directory of your local clone of the andy-maier/easy-vault Git repo.

Set shell variables for the version that is being released and the branch it is based on:
- MNU - Full version M.N.U that is being released
- MN - Major and minor version M.N of that full version
- BRANCH - Name of the branch the version that is being released is based on
When releasing a new major version (e.g. 1.0.0) based on the master branch:
```
MNU=1.0.0
MN=1.0
BRANCH=master
```
When releasing a new minor version (e.g. 0.9.0) based on the master branch:
```
MNU=0.9.0
MN=0.9
BRANCH=master
```
When releasing a new update version (e.g. 0.8.1) based on the stable branch of its minor version:
```
MNU=0.8.1
MN=0.8
BRANCH=stable_${MN}
```

Create a topic branch for the version that is being released:

git checkout ${BRANCH}
git pull
git checkout -b release_${MNU}

Edit the version file:
```
vi easy_vault/_version.py
```
and set the __version__ variable to the version that is being released:
```
__version__ = 'M.N.U'
```
Edit the change log:
```
vi docs/changes.rst
```
and make the following changes in the section of the version that is being released:
- Finalize the version.
- Change the release date to today’s date.
- Make sure that all changes are described.
- Make sure the items shown in the change log are relevant for and understandable by users.
- In the “Known issues” list item, remove the link to the issue tracker and add text for any known issues you want users to know about.
- Remove all empty list items.
When releasing based on the master branch, edit the GitHub workflow file test.yml:
```
vi .github/workflows/test.yml
```
and in the on section, increase the version of the stable_* branch to the new stable branch stable_M.N created earlier:
```
on:
  schedule:
    . . .
  push:
    branches: [ master, stable_M.N ]
  pull_request:
    branches: [ master, stable_M.N ]
```

Commit your changes and push the topic branch to the remote repo:

git status  # Double check the changed files
git commit -asm "Release ${MNU}"
git push --set-upstream origin release_${MNU}

On GitHub, create a Pull Request for branch release_M.N.U. This will trigger the CI runs.

Important: When creating Pull Requests, GitHub by default targets the master branch. When releasing based on a stable branch, you need to change the target branch of the Pull Request to stable_M.N.
On GitHub, close milestone M.N.U.
On GitHub, once the checks for the Pull Request for branch start_M.N.U have succeeded, merge the Pull Request (no review is needed). This automatically deletes the branch on GitHub.
Add a new tag for the version that is being released and push it to the remote repo. Clean up the local repo:
```
git checkout ${BRANCH}
git pull
git tag -f ${MNU}
git push -f --tags
git branch -d release_${MNU}
```
When releasing based on the master branch, create and push a new stable branch for the same minor version:
```
git checkout -b stable_${MN}
git push --set-upstream origin stable_${MN}
git checkout ${BRANCH}
```
Note that no GitHub Pull Request is created for any stable_* branch.
On GitHub, edit the new tag M.N.U, and create a release description on it. This will cause it to appear in the Release tab.

You can see the tags in GitHub via Code -> Releases -> Tags.
On ReadTheDocs, activate the new version M.N.U:
- Go to https://readthedocs.org/projects/easy-vault/versions/ and log in.
- Activate the new version M.N.U.
  
  This triggers a build of that version. Verify that the build succeeds and that new version is shown in the version selection popup at https://easy-vault.readthedocs.io/
Upload the package to PyPI:
```
make upload
```
This will show the package version and will ask for confirmation.

Attention! This only works once for each version. You cannot release the same version twice to PyPI.

Verify that the released version arrived on PyPI at https://pypi.python.org/pypi/easy-vault/

Starting a new version¶

This section shows the steps for starting development of a new version of the easy-vault project in its Git repo.

This section covers all variants of new versions:

Starting a new major version (Mnew.0.0) based on the master branch
Starting a new minor version (M.Nnew.0) based on the master branch
Starting a new update version (M.N.Unew) based on the stable branch of its minor version

The description assumes that the andy-maier/easy-vault Github repo is cloned locally and its upstream repo is assumed to have the Git remote name origin.

Any commands in the following steps are executed in the main directory of your local clone of the andy-maier/easy-vault Git repo.

Set shell variables for the version that is being started and the branch it is based on:
- MNU - Full version M.N.U that is being started
- MN - Major and minor version M.N of that full version
- BRANCH - Name of the branch the version that is being started is based on
When starting a new major version (e.g. 1.0.0) based on the master branch:
```
MNU=1.0.0
MN=1.0
BRANCH=master
```
When starting a new minor version (e.g. 0.9.0) based on the master branch:
```
MNU=0.9.0
MN=0.9
BRANCH=master
```
When starting a new minor version (e.g. 0.8.1) based on the stable branch of its minor version:
```
MNU=0.8.1
MN=0.8
BRANCH=stable_${MN}
```

Create a topic branch for the version that is being started:

git checkout ${BRANCH}
git pull
git checkout -b start_${MNU}

Edit the version file:
```
vi easy_vault/_version.py
```
and update the version to a draft version of the version that is being started:
```
__version__ = 'M.N.U.dev1'
```

Edit the change log:

vi docs/changes.rst

and insert the following section before the top-most section:

Version M.N.U.dev1
------------------

This version contains all fixes up to version M.N-1.x.

Released: not yet

**Incompatible changes:**

**Deprecations:**

**Bug fixes:**

**Enhancements:**

**Cleanup:**

**Known issues:**

* See `list of open issues`_.

.. _`list of open issues`: https://github.com/andy-maier/easy-vault/issues

Commit your changes and push them to the remote repo:

git status  # Double check the changed files
git commit -asm "Start ${MNU}"
git push --set-upstream origin start_${MNU}

On GitHub, create a Pull Request for branch start_M.N.U.

Important: When creating Pull Requests, GitHub by default targets the master branch. When starting a version based on a stable branch, you need to change the target branch of the Pull Request to stable_M.N.
On GitHub, create a milestone for the new version M.N.U.

You can create a milestone in GitHub via Issues -> Milestones -> New Milestone.
On GitHub, go through all open issues and pull requests that still have milestones for previous releases set, and either set them to the new milestone, or to have no milestone.
On GitHub, once the checks for the Pull Request for branch start_M.N.U have succeeded, merge the Pull Request (no review is needed). This automatically deletes the branch on GitHub.

Update and clean up the local repo:

git checkout ${BRANCH}
git pull
git branch -d start_${MNU}

Appendix¶

Glossary¶

string¶: a unicode string or a byte string
unicode string¶: a Unicode string type (unicode in Python 2, and str in Python 3)
byte string¶: a byte string type (str in Python 2, and bytes in Python 3). Unless otherwise indicated, byte strings in this project are always UTF-8 encoded.

References¶

Python glossary¶

Change log¶

Version 0.6.0¶

Released: 2021-04-02

Incompatible changes:

The new optional ‘use_prompting’ parameter of ‘easy_vault.get_password()’ was not added at the end of the parameter list. This is incompatible for users who called the function with positional arguments. (related to issue #20)
The ‘–prompt’ option of the ‘easy-vault encrypt’ and ‘easy-vault decrypt’ commands was removed. (related to issue #20)

Bug fixes:

Fixed the issue that an open() call used the ‘encoding’ argument which is not supported on Python 2.7.
Fixed issues with files on Windows that have CRLF line endings.

Enhancements:

In the ‘EasyVault’ class, added more user control for the handling of passwords: The init method now accepts if the password is not provided and in that case is restricted to operate on decrypted vault files. The ‘easy_vault.get_password()’ function got an additional ‘use_prompting’ parameter that can be used to disable the interactive prompting for passwords. (issue #20)
In the ‘easy-vault encrypt’ and ‘easy-vault decrypt’ commands, removed the ‘–prompt’ option and added options ‘–set-password’ and ‘–no-keyring’ to better separate the two concerns of setting a new password and disabling the use of the keyring service. (issue #20)
Docs: Improved the documentation and command messages in many places.
Added a ‘–quiet’ option to the ‘easy-vault encrypt’ and ‘easy-vault decrypt’ commands that silöences the messages except for the password prompt. (issue #12)
In the ‘KeyRingLib’ class, added methods ‘is_available()’ and ‘check_available() that return whether the keyring service is available or check that it is available. (issue #34)
Added a new ‘easy-vault check-keyring’ command that checks whether the keyring service is available. (issue #36)
Test: Improved test coverage. (issue #8)

Version 0.5.0¶

Released: 2021-03-29

Initial release.