Secrets Module

Credential management delegated to panzer.

BinPan implements no encryption of its own. All credentials (Binance API keys, PostgreSQL/binbase passwords, Redis configs, etc.) are handled by panzer’s CredentialManager, which stores them in ~/.panzer_creds (sensitive values encrypted) and prompts the user the first time they are missing.

Secret management delegated to panzer.

BinPan does not implement its own encryption. All credentials (Binance API keys, PostgreSQL/binbase passwords, Redis configs, etc.) are handled by panzer.credentials.CredentialManager, which stores them in ~/.panzer_creds with three layers: in-memory cache, on-disk file (sensitive values encrypted with AES-128-CBC) and an interactive prompt when a credential is missing.

panzer auto-detects sensitive names by the markers secret, api_key, password and _id. Choose credential names accordingly so that sensitive values are encrypted and transparently decrypted on read:

  • postgresql_password / binbase_password -> encrypted (password)

  • postgresql_host / postgresql_user / … -> stored as plain text

  • redis_conf / sentinel_data -> JSON, plain text (see *_json_secret)

Functions:

get_secret(name, *[, decrypt])

Get a credential as plain text.

set_secret(name, value, *[, sensitive, ...])

Store a credential in panzer (encrypted on disk if sensitive).

get_json_secret(name)

Get a credential serialized as JSON (e.g. Redis / Sentinel configs).

set_json_secret(name, value, *[, overwrite])

Store a dict credential as a JSON string in panzer.

get_secret(name: str, *, decrypt: bool = True) str[source]

Get a credential as plain text. Resolves memory -> disk -> prompt.

Parameters:
  • name (str) – Credential name (e.g. "postgresql_password").

  • decrypt (bool) – If True, decrypt sensitive values before returning.

Return str:

The credential value in plain text.

set_secret(name: str, value: str, *, sensitive: bool | None = None, overwrite: bool = True) None[source]

Store a credential in panzer (encrypted on disk if sensitive).

Parameters:
  • name (str) – Credential name.

  • value (str) – Plain text value.

  • sensitive – Force encryption (True/False) or auto-detect by name (None).

  • overwrite (bool) – Overwrite if it already exists on disk.

get_json_secret(name: str) dict[source]

Get a credential serialized as JSON (e.g. Redis / Sentinel configs).

Parameters:

name (str) – Credential name.

Return dict:

The deserialized value.

set_json_secret(name: str, value: dict, *, overwrite: bool = True) None[source]

Store a dict credential as a JSON string in panzer.

Parameters:
  • name (str) – Credential name.

  • value (dict) – The dictionary to serialize and store.

  • overwrite (bool) – Overwrite if it already exists on disk.