Support encryption of .env file

[skymoore]

Working in a high security environment it is sometimes concerning to have a .env file sitting on your machine with plaintext credentials needed for development. It is also cumbersome to regularly recreate the .env file per working session if the credentials are particularly sensitive. One possible solution would be to support pgp encryption of the .env file, so a call to load dotenv would look like:

from dotenv import load_dotenv

load_dotenv(encrypted=True)

Right now I'm using some boilerplate code like this:

from os import getenv
from io import StringIO
from gnupg import GPG
from dotenv import load_dotenv

# encrypted with `gpg -o .env.gpg -e --default-recipient-self .env`
with open("test.env.gpg", "rb") as f:
    env_vars = GPG().decrypt_file(f)

if not env_vars.ok:
    raise Exception(f"Decryption failed: {env_vars.status}")

load_dotenv(stream=StringIO(env_vars.data.decode()))

foo = getenv("FOO")
print(f"FOO: {foo}")

This way the decrypted credentials will only ever exist in memory and since I use a yubikey to store my private keys, there is no way to access that key and retrieve those credentials without the physical key.

[theskumar]

Have you consider using https://github.com/getsops/sops or similar tool like git crypt.

Since I'm not a security expert, I'm little hesitant to add this as part of this library that I would have to maintain.