Environment Secrets Rotator

What This Does

A CLI tool to help rotate secrets in environment files and generate commands for secret managers like HashiCorp Vault. Securely generates new random values for secrets, updates .env files, and provides rotation workflows for development and production environments.

Key features:

• Rotate secrets in .env files - Generate new random values for specified keys
• Multiple generation algorithms - Hex, base64, UUID, custom length
• Backup original files - Create backups before modification
• Dry-run mode - Preview changes without modifying files
• Generate Vault commands - Output HashiCorp Vault CLI commands for secret rotation
• Batch processing - Rotate multiple keys across multiple files
• Validation - Check .env file format and key existence
• Rotation history - Track previous values (optional)

How To Use

Basic rotation:

./scripts/main.py rotate --file .env --keys API_KEY,DB_PASSWORD

With custom generation:

./scripts/main.py rotate --file .env --keys API_KEY --algorithm base64 --length 32

Dry run (preview):

./scripts/main.py rotate --file .env --keys "*" --dry-run

Generate Vault commands:

./scripts/main.py vault --keys API_KEY,DB_PASSWORD --path secret/data/myapp

Full command reference:

./scripts/main.py help

Commands

• rotate: Rotate secrets in environment files
• --file: Path to .env file (required)
• --keys: Comma-separated keys to rotate, or "" for all (default: "")
• --algorithm: Random generation algorithm: hex, base64, uuid, alphanumeric (default: hex)
• --length: Length of generated secret (default: 32)
• --backup: Create backup before modifying (default: true)
• --dry-run: Preview changes without modifying files
• --output: Write to new file instead of modifying original

• vault: Generate HashiCorp Vault commands
• --keys: Comma-separated keys to generate commands for
• --path: Vault secret path (e.g., "secret/data/myapp")
• --engine: Vault secrets engine (default: "kv")
• --method: Vault method: patch, put (default: "patch")

• validate: Validate .env file
• --file: Path to .env file
• --strict: Require all values to be non-empty

• history: Show rotation history (if enabled)
• --file: Path to .env file
• --key: Specific key to show history for

Output

Rotation output:

{
  "file": ".env",
  "rotated": ["API_KEY", "DB_PASSWORD"],
  "new_values": {
    "API_KEY": "a1b2c3d4e5f6...",
    "DB_PASSWORD": "x9y8z7w6v5u4..."
  },
  "backup": ".env.backup.20260311",
  "vault_commands": [
    "vault kv patch secret/data/myapp API_KEY=a1b2c3d4e5f6...",
    "vault kv patch secret/data/myapp DB_PASSWORD=x9y8z7w6v5u4..."
  ]
}

Vault commands output:

# Generated Vault commands for secret rotation:
vault kv patch secret/data/myapp API_KEY=a1b2c3d4e5f6...
vault kv patch secret/data/myapp DB_PASSWORD=x9y8z7w6v5u4...

Limitations

• No actual Vault integration - Only generates commands; you must run them manually
• Local files only - Cannot rotate secrets in remote secret managers
• No key distribution - Does not distribute new secrets to services
• Basic .env format - Supports simple KEY=VALUE format; no multiline or complex parsing
• No encryption - Generated secrets are shown in plaintext in output
• History tracking optional - Requires enabling and may store sensitive data

Security Considerations

• Always review generated values before use
• Use --dry-run to preview changes
• Backups are created by default
• Generated secrets are cryptographically random (using Python's secrets module)
• Consider using a real secret manager for production secrets

Examples

Rotate all secrets in .env file:

./scripts/main.py rotate --file .env --keys "*" --backup true

Generate Vault commands for specific keys:

./scripts/main.py vault --keys API_KEY,DB_PASSWORD --path secret/data/production

Validate .env file before rotation:

./scripts/main.py validate --file .env --strict

Rotate with custom base64 secrets:

./scripts/main.py rotate --file .env --keys JWT_SECRET --algorithm base64 --length 64

Installation Notes

Uses Python's built-in secrets module for cryptographically secure random generation. No external dependencies required.