wauth.drivers.local module

Local driver for encrypted secret storage.

Handles encryption/decryption of secrets and persistence via the Vault.

class wauth.drivers.local.LocalDriver(custom_key=None)[source]

Bases: object

Driver that stores secrets locally using Fernet encryption.

Combines the cryptographic engine with the SQLite-backed vault for persistent, machine-locked secret storage.

Parameters:

custom_key (str | None) – Optional custom encryption key string.

__init__(custom_key=None)[source]
set_secret(key, value, ttl=None)[source]

Encrypt and store a text secret.

Parameters:

  • key (str) – Unique identifier for the secret.

  • value (str) – Plaintext value to encrypt.

  • ttl (float | None) – Optional time-to-live in seconds. None means no expiration.

set_file(key, file_path, ttl=None)[source]

Encrypt and store a file’s contents.

Parameters:

  • key (str) – Unique identifier for the file secret.

  • file_path (str) – Path to the file to encrypt and store.

  • ttl (float | None) – Optional time-to-live in seconds.

get_secret(key)[source]

Retrieve and decrypt a secret by its key.

Parameters:

key (str) – Unique identifier for the secret.

Returns:

Decrypted secret as str for text type or bytes for file type. Returns None if the key does not exist.

Return type:

str | bytes | None

delete_secret(key)[source]

Delete a secret from the vault.

Parameters:

key (str) – Unique identifier for the secret to remove.

Raises:

KeyNotFoundError – If the key does not exist.

list_keys()[source]

List all secret keys stored in the vault.

Returns:

A list of all key names.

Return type:

list[str]

rotate_key(new_custom_key, keys_to_migrate=None)[source]

Rotate the encryption key and re-encrypt existing secrets.

Creates a new CryptoEngine with the provided key, decrypts all existing secrets with the current engine, and re-encrypts them with the new engine.

Parameters:

  • new_custom_key (str) – The new custom key to use for encryption.

  • keys_to_migrate (list[str] | None) – Specific keys to migrate. If None, all keys in the vault are migrated.

Returns:

A dictionary mapping each key to a boolean indicating success (True) or failure (False).

Return type:

dict[str, bool]

valid_secret(key, value_to_check)[source]

Verify if stored secret matches provided value without exposing it.

Unlike get_secret(), this method never returns the decrypted secret. Uses constant-time comparison to prevent timing attacks.

Parameters:

  • key (str) – Unique identifier for the secret.

  • value_to_check (str) – Plaintext value to compare against stored secret.

Returns:

True if values match, False otherwise (or if key doesn’t exist).

Return type:

bool