PyPI - dotenv-webauthn-crypt - Versions diffs - 0.1.2__tar.gz - Mend

dotenv-webauthn-crypt 0.1.2__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

dotenv_webauthn_crypt-0.1.2/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Jose Luu
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

dotenv_webauthn_crypt-0.1.2/PKG-INFO ADDED Viewed

@@ -0,0 +1,84 @@
+Metadata-Version: 2.4
+Name: dotenv-webauthn-crypt
+Version: 0.1.2
+Summary: Drop-in dotenv replacement with Windows Hello encryption.
+Author-email: Jose Luu <jose.luu@example.com>
+Project-URL: Homepage, https://github.com/joseluu/dotenv-webauthn-crypt
+Project-URL: Bug Tracker, https://github.com/joseluu/dotenv-webauthn-crypt/issues
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Topic :: Security :: Cryptography
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography>=42.0.0
+Dynamic: license-file
+#  dotenv-webauthn-crypt
+**Transparent, Windows Hello-backed encryption for your `.env` files.**
+`dotenv-webauthn-crypt` is a drop-in replacement for `python-dotenv` that keeps your secrets **encrypted at rest** and gates access behind **WebAuthn (Biometrics/PIN)**. It, ensuring that your Master Key never exists in plaintext on disk.
+##  Features
+-   **Seamless Integration**: Use `load_dotenv()` just like you always have.
+-   **Hardware Security**: Private keys stay in the TPM.
+-   **Biometric Decryption**: Prompts for Fingerprint/PIN when loading secrets.
+-   **Strong Cryptography**: Uses AES-256-GCM for encryption and HKDF-SHA256 for key derivation.
+-   **Vault Isolation**: Each `.env` file has its own unique derived vault key.
+##  Installation
+### Prerequisites
+-   **Windows 10/11** with Windows Hello enabled.
+-   **Visual Studio 2022 Build Tools** (only if building from source).
+```powershell
+pip install dotenv-webauthn-crypt
+```
+##  Usage
+### 1. Initialize your machine
+Create your machine-specific root credential in the TPM:
+```powershell
+dotenv-webauthn-crypt-cli init --user MyWindowsUser
+```
+### 2. Encrypt an existing .env file
+This will replace plaintext values with encrypted `ENC:...` blobs:
+```powershell
+dotenv-webauthn-crypt-cli encrypt .env
+```
+### 3. Load in your Python code
+```python
+from dotenv_webauthn_crypt import load_dotenv
+# This will trigger a Windows Hello prompt if encrypted values are detected
+load_dotenv()
+import os
+print(os.environ.get("MY_SECRET_KEY"))
+```
+##  Architecture
+1.  **Registration**: `init` creates a non-resident public/private key pair in the TPM. The `CredentialID` is saved locally.
+2.  **Encryption**: A `VaultKey` is derived using HKDF from a TPM-backed signature and the file's canonical path.
+3.  **Loading**: `load_dotenv` detects `ENC:` prefixes, triggers Windows Hello to get a fresh signature, re-derives the `VaultKey`, and decrypts the values into `os.environ`.
+##  TODO / Roadmap
+- [ ] Usage of Windows Hello as it uses the TPM (Trusted Platform Module) to sign challenges
+- [ ] **Linux Support**: Implement a Linux backend using the **TPM2-TSS** or **libfido2** for similar biometric/hardware protection.
+- [ ] **macOS Support**: Implement a macOS backend using **Secure Enclave / Touch ID**.
+- [ ] **Credential Rotation**: Add `rekey` command to migrate between hardware credentials.
+##  License
+Distributed under the MIT License. See `LICENSE` for more information.

dotenv_webauthn_crypt-0.1.2/README.md ADDED Viewed

@@ -0,0 +1,67 @@
+#  dotenv-webauthn-crypt
+**Transparent, Windows Hello-backed encryption for your `.env` files.**
+`dotenv-webauthn-crypt` is a drop-in replacement for `python-dotenv` that keeps your secrets **encrypted at rest** and gates access behind **WebAuthn (Biometrics/PIN)**. It, ensuring that your Master Key never exists in plaintext on disk.
+##  Features
+-   **Seamless Integration**: Use `load_dotenv()` just like you always have.
+-   **Hardware Security**: Private keys stay in the TPM.
+-   **Biometric Decryption**: Prompts for Fingerprint/PIN when loading secrets.
+-   **Strong Cryptography**: Uses AES-256-GCM for encryption and HKDF-SHA256 for key derivation.
+-   **Vault Isolation**: Each `.env` file has its own unique derived vault key.
+##  Installation
+### Prerequisites
+-   **Windows 10/11** with Windows Hello enabled.
+-   **Visual Studio 2022 Build Tools** (only if building from source).
+```powershell
+pip install dotenv-webauthn-crypt
+```
+##  Usage
+### 1. Initialize your machine
+Create your machine-specific root credential in the TPM:
+```powershell
+dotenv-webauthn-crypt-cli init --user MyWindowsUser
+```
+### 2. Encrypt an existing .env file
+This will replace plaintext values with encrypted `ENC:...` blobs:
+```powershell
+dotenv-webauthn-crypt-cli encrypt .env
+```
+### 3. Load in your Python code
+```python
+from dotenv_webauthn_crypt import load_dotenv
+# This will trigger a Windows Hello prompt if encrypted values are detected
+load_dotenv()
+import os
+print(os.environ.get("MY_SECRET_KEY"))
+```
+##  Architecture
+1.  **Registration**: `init` creates a non-resident public/private key pair in the TPM. The `CredentialID` is saved locally.
+2.  **Encryption**: A `VaultKey` is derived using HKDF from a TPM-backed signature and the file's canonical path.
+3.  **Loading**: `load_dotenv` detects `ENC:` prefixes, triggers Windows Hello to get a fresh signature, re-derives the `VaultKey`, and decrypts the values into `os.environ`.
+##  TODO / Roadmap
+- [ ] Usage of Windows Hello as it uses the TPM (Trusted Platform Module) to sign challenges
+- [ ] **Linux Support**: Implement a Linux backend using the **TPM2-TSS** or **libfido2** for similar biometric/hardware protection.
+- [ ] **macOS Support**: Implement a macOS backend using **Secure Enclave / Touch ID**.
+- [ ] **Credential Rotation**: Add `rekey` command to migrate between hardware credentials.
+##  License
+Distributed under the MIT License. See `LICENSE` for more information.

dotenv_webauthn_crypt-0.1.2/ext/native.cpp ADDED Viewed

@@ -0,0 +1,112 @@
+#include <pybind11/pybind11.h>
+#include <pybind11/stl.h>
+#include <windows.h>
+#include <webauthn.h>
+#include <vector>
+#include <string>
+#include <stdexcept>
+namespace py = pybind11;
+// Helper to convert std::string to std::wstring
+std::wstring to_wstring(const std::string& s) {
+    int len = MultiByteToWideChar(CP_UTF8, 0, s.c_str(), -1, NULL, 0);
+    std::wstring ws(len, L'\0');
+    MultiByteToWideChar(CP_UTF8, 0, s.c_str(), -1, &ws[0], len);
+    return ws;
+}
+std::vector<uint8_t> make_credential(const std::string& rp_id, const std::string& user_name) {
+    HWND hwnd = GetForegroundWindow();
+    std::wstring wrp_id = to_wstring(rp_id);
+    std::wstring wuser_name = to_wstring(user_name);
+    WEBAUTHN_RP_ENTITY_INFORMATION rpInfo = { 0 };
+    rpInfo.dwVersion = WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION;
+    rpInfo.pwszId = wrp_id.c_str();
+    rpInfo.pwszName = L"Dotenv WebAuthn Crypt";
+    BYTE userId[] = "user123";
+    WEBAUTHN_USER_ENTITY_INFORMATION userInfo = { 0 };
+    userInfo.dwVersion = WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION;
+    userInfo.cbId = sizeof(userId);
+    userInfo.pbId = userId;
+    userInfo.pwszName = wuser_name.c_str();
+    userInfo.pwszDisplayName = wuser_name.c_str();
+    WEBAUTHN_COSE_CREDENTIAL_PARAMETER alg = { 0 };
+    alg.dwVersion = WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION;
+    alg.pwszCredentialType = WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY;
+    alg.lAlg = WEBAUTHN_COSE_ALGORITHM_ECDSA_P256_WITH_SHA256;
+    WEBAUTHN_COSE_CREDENTIAL_PARAMETERS pubKeyParams = { 1, &alg };
+    BYTE challenge[32];
+    memset(challenge, 0xEE, 32);
+    WEBAUTHN_CLIENT_DATA clientData = { 0 };
+    clientData.dwVersion = WEBAUTHN_CLIENT_DATA_CURRENT_VERSION;
+    clientData.cbClientDataJSON = 32;
+    clientData.pbClientDataJSON = challenge;
+    clientData.pwszHashAlgId = WEBAUTHN_HASH_ALGORITHM_SHA_256;
+    WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS options = { 0 };
+    options.dwVersion = WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION;
+    options.dwTimeoutMilliseconds = 60000;
+    options.dwAuthenticatorAttachment = WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM;
+    // Non-Resident Flow: More compatible, does not try to "save" to TPM permanent storage slots
+    options.bRequireResidentKey = FALSE;
+    options.dwUserVerificationRequirement = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED;
+    options.dwAttestationConveyancePreference = WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE;
+    PWEBAUTHN_CREDENTIAL_ATTESTATION pAttestation = nullptr;
+    HRESULT hr = WebAuthNAuthenticatorMakeCredential(hwnd, &rpInfo, &userInfo, &pubKeyParams, &clientData, &options, &pAttestation);
+    if (FAILED(hr)) {
+        throw std::runtime_error("WebAuthNAuthenticatorMakeCredential failed with HRESULT: " + std::to_string(hr));
+    }
+    std::vector<uint8_t> result(pAttestation->pbCredentialId, pAttestation->pbCredentialId + pAttestation->cbCredentialId);
+    WebAuthNFreeCredentialAttestation(pAttestation);
+    return result;
+}
+std::vector<uint8_t> get_assertion(const std::string& rp_id, const std::vector<uint8_t>& credential_id, const std::vector<uint8_t>& challenge) {
+    HWND hwnd = GetForegroundWindow();
+    std::wstring wrp_id = to_wstring(rp_id);
+    WEBAUTHN_CLIENT_DATA clientData = { 0 };
+    clientData.dwVersion = WEBAUTHN_CLIENT_DATA_CURRENT_VERSION;
+    clientData.cbClientDataJSON = (DWORD)challenge.size();
+    clientData.pbClientDataJSON = (PBYTE)challenge.data();
+    clientData.pwszHashAlgId = WEBAUTHN_HASH_ALGORITHM_SHA_256;
+    WEBAUTHN_CREDENTIAL cred = { 0 };
+    cred.dwVersion = WEBAUTHN_CREDENTIAL_CURRENT_VERSION;
+    cred.cbId = (DWORD)credential_id.size();
+    cred.pbId = const_cast<PBYTE>(credential_id.data());
+    cred.pwszCredentialType = WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY;
+    WEBAUTHN_CREDENTIALS creds = { 1, &cred };
+    WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS options = { 0 };
+    options.dwVersion = WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION;
+    options.dwTimeoutMilliseconds = 60000;
+    options.CredentialList = creds;
+    options.dwUserVerificationRequirement = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED;
+    PWEBAUTHN_ASSERTION pAssertion = nullptr;
+    HRESULT hr = WebAuthNAuthenticatorGetAssertion(hwnd, wrp_id.c_str(), &clientData, &options, &pAssertion);
+    if (FAILED(hr)) {
+        throw std::runtime_error("WebAuthNAuthenticatorGetAssertion failed with HRESULT: " + std::to_string(hr));
+    }
+    std::vector<uint8_t> result(pAssertion->pbSignature, pAssertion->pbSignature + pAssertion->cbSignature);
+    WebAuthNFreeAssertion(pAssertion);
+    return result;
+}
+PYBIND11_MODULE(_native, m) {
+    m.def("make_credential", &make_credential, "Create a WebAuthn credential (non-resident)");
+    m.def("get_assertion", &get_assertion, "Get WebAuthn assertion (signature)");
+}

dotenv_webauthn_crypt-0.1.2/pyproject.toml ADDED Viewed

@@ -0,0 +1,40 @@
+[build-system]
+requires = ["setuptools>=61.0", "pybind11"]
+build-backend = "setuptools.build_meta"
+[project]
+name = "dotenv-webauthn-crypt"
+version = "0.1.2"
+authors = [
+  { name="Jose Luu", email="jose.luu@example.com" },
+]
+description = "Drop-in dotenv replacement with Windows Hello encryption."
+readme = "README.md"
+requires-python = ">=3.8"
+dependencies = [
+    "cryptography>=42.0.0",
+]
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: Microsoft :: Windows",
+    "Topic :: Security :: Cryptography",
+]
+[project.urls]
+"Homepage" = "https://github.com/joseluu/dotenv-webauthn-crypt"
+"Bug Tracker" = "https://github.com/joseluu/dotenv-webauthn-crypt/issues"
+[project.scripts]
+dotenv-webauthn-crypt-cli = "dotenv_webauthn_crypt.cli:main"
+[tool.setuptools]
+packages = ["dotenv_webauthn_crypt"]
+package-dir = {"" = "src"}
+[tool.cibuildwheel]
+build = "cp38-* cp39-* cp310-* cp311-* cp312-*"
+skip = "*-win32 pp*"
+[tool.cibuildwheel.windows]
+before-build = "pip install pybind11"

dotenv_webauthn_crypt-0.1.2/setup.cfg ADDED Viewed

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build =
+tag_date = 0

dotenv_webauthn_crypt-0.1.2/setup.py ADDED Viewed

@@ -0,0 +1,17 @@
+import os
+from setuptools import setup, Extension
+import pybind11
+ext_modules = [
+    Extension(
+        "dotenv_webauthn_crypt._native",
+        ["ext/native.cpp"],
+        include_dirs=[pybind11.get_include()],
+        language="c++",
+        libraries=["webauthn", "bcrypt", "user32"],
+    ),
+]
+setup(
+    ext_modules=ext_modules,
+)

dotenv_webauthn_crypt-0.1.2/src/dotenv_webauthn_crypt/__init__.py ADDED Viewed

@@ -0,0 +1,3 @@
+from . import _native
+from .core import load_dotenv
+from .cli import main

dotenv_webauthn_crypt-0.1.2/src/dotenv_webauthn_crypt/cli.py ADDED Viewed

@@ -0,0 +1,36 @@
+import sys
+import argparse
+from .core import load_dotenv, init_credential, encrypt_file
+def main():
+    parser = argparse.ArgumentParser(description="dotenv-webauthn-crypt CLI")
+    parser.add_argument("command", choices=["encrypt", "decrypt", "init", "rekey"])
+    parser.add_argument("env_path", nargs="?", default=".env")
+    parser.add_argument("--user", help="User name for init", default="default_user")
+    args = parser.parse_args()
+    try:
+        if args.command == "init":
+            init_credential(args.user)
+        elif args.command == "encrypt":
+            encrypt_file(args.env_path)
+        elif args.command == "decrypt":
+            # Just to verify load_dotenv logic via CLI
+            load_dotenv(args.env_path)
+            print("Loaded (decrypted) variables into environment.")
+            # Show decrypted values for verification
+            with open(args.env_path, "r") as f:
+                for line in f:
+                    if "=" in line:
+                        key, _ = line.strip().split("=", 1)
+                        import os
+                        print(f"{key}={os.environ.get(key)}")
+        else:
+            print(f"Command '{args.command}' not yet implemented.")
+    except Exception as e:
+        print(f"Error: {e}")
+        sys.exit(1)
+if __name__ == "__main__":
+    main()

dotenv_webauthn_crypt-0.1.2/src/dotenv_webauthn_crypt/core.py ADDED Viewed

@@ -0,0 +1,138 @@
+import os
+import base64
+import hashlib
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.kdf.hkdf import HKDF
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.backends import default_backend
+from . import _native
+# Configuration
+RP_ID = "credentials.dotenv-webauthn.com"
+DATA_DIR = os.path.join(os.environ.get("LOCALAPPDATA", ""), "dotenv-webauthn")
+CREDENTIAL_FILE = os.path.join(DATA_DIR, "credential.bin")
+def ensure_data_dir():
+    if not os.path.exists(DATA_DIR):
+        os.makedirs(DATA_DIR)
+def init_credential(user_name: str = "default_user"):
+    ensure_data_dir()
+    credential_id = _native.make_credential(RP_ID, user_name)
+    with open(CREDENTIAL_FILE, "wb") as f:
+        f.write(bytes(credential_id))
+    print(f"Root credential initialized and saved to {CREDENTIAL_FILE}")
+def get_root_credential_id() -> bytes:
+    if not os.path.exists(CREDENTIAL_FILE):
+        raise FileNotFoundError("Root credential not found. Run 'init' first.")
+    with open(CREDENTIAL_FILE, "rb") as f:
+        return f.read()
+def get_master_key() -> bytes:
+    credential_id = get_root_credential_id()
+    # Challenge can be fixed as per design docs/purpose.md
+    challenge = b"dotenv-webauthn-fixed-challenge"
+    # Ensure challenge is 32 bytes for consistency with native
+    challenge_hash = hashlib.sha256(challenge).digest()
+    signature = _native.get_assertion(RP_ID, list(credential_id), list(challenge_hash))
+    return hashlib.sha256(bytes(signature)).digest()
+def get_vault_key(env_path: str, master_key: bytes) -> bytes:
+    vault_id = hashlib.sha256(os.path.abspath(env_path).encode()).digest()
+    hkdf = HKDF(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=vault_id,
+        info=b"dotenv-webauthn-v1",
+        backend=default_backend()
+    )
+    return hkdf.derive(master_key)
+def encrypt_value(plaintext: str, vault_key: bytes) -> str:
+    aesgcm = AESGCM(vault_key)
+    nonce = os.urandom(12)
+    ciphertext = aesgcm.encrypt(nonce, plaintext.encode('utf-8'), None)
+    # Format: version(1 byte) + nonce(12) + ciphertext(N) + tag(included in ciphertext in cryptography lib)
+    # version 0x01
+    full_data = b'\x01' + nonce + ciphertext
+    return "ENC:" + base64.b64encode(full_data).decode('utf-8')
+def decrypt_value(enc_value: str, vault_key: bytes) -> str:
+    if not enc_value.startswith("ENC:"):
+        return enc_value
+    data = base64.b64decode(enc_value[4:])
+    version = data[0]
+    if version != 1:
+        raise ValueError(f"Unsupported encryption version: {version}")
+    nonce = data[1:13]
+    ciphertext = data[13:]
+    aesgcm = AESGCM(vault_key)
+    return aesgcm.decrypt(nonce, ciphertext, None).decode('utf-8')
+def load_dotenv(dotenv_path: str = ".env"):
+    if not os.path.exists(dotenv_path):
+        return
+    # Check if we need to decrypt anything first
+    needs_decryption = False
+    lines = []
+    with open(dotenv_path, "r") as f:
+        lines = f.readlines()
+        for line in lines:
+            if "=" in line:
+                _, value = line.strip().split("=", 1)
+                if value.startswith("ENC:"):
+                    needs_decryption = True
+                    break
+    if not needs_decryption:
+        # Standard load
+        for line in lines:
+            if "=" in line:
+                key, value = line.strip().split("=", 1)
+                os.environ[key] = value
+        return
+    # Perform decryption
+    master_key = get_master_key()
+    vault_key = get_vault_key(dotenv_path, master_key)
+    for line in lines:
+        if "=" in line:
+            key, value = line.strip().split("=", 1)
+            if value.startswith("ENC:"):
+                try:
+                    os.environ[key] = decrypt_value(value, vault_key)
+                except Exception as e:
+                    print(f"Failed to decrypt {key}: {e}")
+            else:
+                os.environ[key] = value
+def encrypt_file(dotenv_path: str):
+    if not os.path.exists(dotenv_path):
+        raise FileNotFoundError(f"{dotenv_path} not found")
+    master_key = get_master_key()
+    vault_key = get_vault_key(dotenv_path, master_key)
+    new_lines = []
+    with open(dotenv_path, "r") as f:
+        for line in f:
+            if "=" in line:
+                key, value = line.strip().split("=", 1)
+                if not value.startswith("ENC:"):
+                    encrypted = encrypt_value(value, vault_key)
+                    new_lines.append(f"{key}={encrypted}\n")
+                else:
+                    new_lines.append(line)
+            else:
+                new_lines.append(line)
+    with open(dotenv_path, "w") as f:
+        f.writelines(new_lines)
+    print(f"File {dotenv_path} encrypted successfully.")

dotenv_webauthn_crypt-0.1.2/src/dotenv_webauthn_crypt.egg-info/PKG-INFO ADDED Viewed

@@ -0,0 +1,84 @@
+Metadata-Version: 2.4
+Name: dotenv-webauthn-crypt
+Version: 0.1.2
+Summary: Drop-in dotenv replacement with Windows Hello encryption.
+Author-email: Jose Luu <jose.luu@example.com>
+Project-URL: Homepage, https://github.com/joseluu/dotenv-webauthn-crypt
+Project-URL: Bug Tracker, https://github.com/joseluu/dotenv-webauthn-crypt/issues
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Topic :: Security :: Cryptography
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography>=42.0.0
+Dynamic: license-file
+#  dotenv-webauthn-crypt
+**Transparent, Windows Hello-backed encryption for your `.env` files.**
+`dotenv-webauthn-crypt` is a drop-in replacement for `python-dotenv` that keeps your secrets **encrypted at rest** and gates access behind **WebAuthn (Biometrics/PIN)**. It, ensuring that your Master Key never exists in plaintext on disk.
+##  Features
+-   **Seamless Integration**: Use `load_dotenv()` just like you always have.
+-   **Hardware Security**: Private keys stay in the TPM.
+-   **Biometric Decryption**: Prompts for Fingerprint/PIN when loading secrets.
+-   **Strong Cryptography**: Uses AES-256-GCM for encryption and HKDF-SHA256 for key derivation.
+-   **Vault Isolation**: Each `.env` file has its own unique derived vault key.
+##  Installation
+### Prerequisites
+-   **Windows 10/11** with Windows Hello enabled.
+-   **Visual Studio 2022 Build Tools** (only if building from source).
+```powershell
+pip install dotenv-webauthn-crypt
+```
+##  Usage
+### 1. Initialize your machine
+Create your machine-specific root credential in the TPM:
+```powershell
+dotenv-webauthn-crypt-cli init --user MyWindowsUser
+```
+### 2. Encrypt an existing .env file
+This will replace plaintext values with encrypted `ENC:...` blobs:
+```powershell
+dotenv-webauthn-crypt-cli encrypt .env
+```
+### 3. Load in your Python code
+```python
+from dotenv_webauthn_crypt import load_dotenv
+# This will trigger a Windows Hello prompt if encrypted values are detected
+load_dotenv()
+import os
+print(os.environ.get("MY_SECRET_KEY"))
+```
+##  Architecture
+1.  **Registration**: `init` creates a non-resident public/private key pair in the TPM. The `CredentialID` is saved locally.
+2.  **Encryption**: A `VaultKey` is derived using HKDF from a TPM-backed signature and the file's canonical path.
+3.  **Loading**: `load_dotenv` detects `ENC:` prefixes, triggers Windows Hello to get a fresh signature, re-derives the `VaultKey`, and decrypts the values into `os.environ`.
+##  TODO / Roadmap
+- [ ] Usage of Windows Hello as it uses the TPM (Trusted Platform Module) to sign challenges
+- [ ] **Linux Support**: Implement a Linux backend using the **TPM2-TSS** or **libfido2** for similar biometric/hardware protection.
+- [ ] **macOS Support**: Implement a macOS backend using **Secure Enclave / Touch ID**.
+- [ ] **Credential Rotation**: Add `rekey` command to migrate between hardware credentials.
+##  License
+Distributed under the MIT License. See `LICENSE` for more information.

dotenv_webauthn_crypt-0.1.2/src/dotenv_webauthn_crypt.egg-info/SOURCES.txt ADDED Viewed

@@ -0,0 +1,15 @@
+LICENSE
+README.md
+pyproject.toml
+setup.py
+ext/native.cpp
+src/dotenv_webauthn_crypt/__init__.py
+src/dotenv_webauthn_crypt/cli.py
+src/dotenv_webauthn_crypt/core.py
+src/dotenv_webauthn_crypt.egg-info/PKG-INFO
+src/dotenv_webauthn_crypt.egg-info/SOURCES.txt
+src/dotenv_webauthn_crypt.egg-info/dependency_links.txt
+src/dotenv_webauthn_crypt.egg-info/entry_points.txt
+src/dotenv_webauthn_crypt.egg-info/requires.txt
+src/dotenv_webauthn_crypt.egg-info/top_level.txt
+tests/test_core.py

dotenv_webauthn_crypt-0.1.2/src/dotenv_webauthn_crypt.egg-info/dependency_links.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+

dotenv_webauthn_crypt-0.1.2/src/dotenv_webauthn_crypt.egg-info/entry_points.txt ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ [console_scripts]
2	+ dotenv-webauthn-crypt-cli = dotenv_webauthn_crypt.cli:main

dotenv_webauthn_crypt-0.1.2/src/dotenv_webauthn_crypt.egg-info/requires.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ cryptography>=42.0.0

dotenv_webauthn_crypt-0.1.2/src/dotenv_webauthn_crypt.egg-info/top_level.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ dotenv_webauthn_crypt

dotenv_webauthn_crypt-0.1.2/tests/test_core.py ADDED Viewed

@@ -0,0 +1,15 @@
+import unittest
+from dotenv_webauthn_crypt.core import get_vault_key
+class TestCore(unittest.TestCase):
+    def test_vault_key_derivation(self):
+        master_key = b"secret_master_key_32bytes!!!!!"
+        env_path = ".env"
+        key1 = get_vault_key(env_path, master_key)
+        key2 = get_vault_key(env_path, master_key)
+        self.assertEqual(key1, key2)
+        self.assertEqual(len(key1), 32)
+if __name__ == "__main__":
+    unittest.main()