Getting Started with Vaults

This guide walks you through the basics of working with Socket0 vaults.

Prerequisites

• Python 3.10+
• Socket0 SDK installed: pip install socket0-sdk

Step 1: Import Required Modules

from socket0.vault.base import SecretBucket
from Cryptodome.PublicKey import RSA

Step 2: Generate RSA Key Pair

# Generate a 2048-bit RSA key pair
key_pair = RSA.generate(2048)

# Access public and private keys
public_key = key_pair.publickey()
private_key = key_pair

Step 3: Create a Vault with a Secret

# Create a vault and encrypt a secret
vault = SecretBucket.create_with_rsa(
    secret="my-sensitive-data",
    public_key=public_key
)

print(f"Vault created: {vault}")
print(f"Is locked: {vault.is_locked()}")

Step 4: Retrieve the Secret

# Decrypt the secret using the private key
decrypted_secret = vault.reveal(private_key)

print(f"Decrypted: {decrypted_secret}")
assert decrypted_secret == "my-sensitive-data"

Full Example: Local Secret Management

from socket0.vault.base import SecretBucket
from Cryptodome.PublicKey import RSA

# Step 1: Generate keys
key_pair = RSA.generate(2048)

# Step 2: Create vault with secret
secret_data = {
    "username": "admin",
    "password": "super-secret-password"
}
import json
secret_json = json.dumps(secret_data)

vault = SecretBucket.create_with_rsa(
    secret=secret_json,
    public_key=key_pair.publickey()
)

# Step 3: Store vault (serialize)
vault_dict = vault.model_dump()
print("Vault stored:", vault_dict)

# Step 4: Later... load and decrypt
from socket0.vault.models import SecretBucket as SecretBucketModel
loaded_vault = SecretBucketModel.model_validate(vault_dict)
decrypted = loaded_vault.reveal(key_pair)
decoded_data = json.loads(decrypted)

print("Decrypted data:", decoded_data)

Using CLI for Vault Operations

If you have the CLI installed (pip install socket0-sdk[cli]):

# Set environment variables
export SOCKET0_ENDPOINT=https://api.socket0.dev
export SOCKET0_API_KEY=your-api-key

# Create a vault
s0 vault create production-secrets --description "Production credentials"

# Store a secret
s0 vault set vault-id database-password --value "strong-password-123"

# Retrieve the secret
s0 vault get vault-id database-password

# List all vaults
s0 vault list

# Delete a vault
s0 vault delete vault-id --confirm

Different Encryption Methods

RSA Encryption (Asymmetric)

Best for:

• Small secrets (up to ~190 bytes)
• Public key distribution scenarios

vault = SecretBucket.create_with_rsa(
    secret="small-secret",
    public_key=public_key
)

AES-CTR Encryption (Symmetric)

Best for:

• Larger secrets
• Streaming scenarios

from socket0.vault.crypto.models import AESCTRBucket
import os

key = os.urandom(32)  # 256-bit key
vault = AESCTRBucket()
vault.lock("large-secret-data-here", lambda x: x)  # Simplified example

AES-GCM Encryption (Symmetric with Auth)

Best for:

• Larger secrets with authentication
• Integrity verification

from socket0.vault.crypto.models import AESGCMBucket

vault = AESGCMBucket()
vault.lock("authenticated-secret", lambda x: x)  # Simplified example

Security Best Practices

1. Protect Private Keys: Store private keys securely
2. Use Strong Passwords: When creating secrets
3. Rotate Keys: Periodically rotate encryption keys
4. Environment Variables: Use environment variables for credentials
5. Never Commit Secrets: Don't commit secrets to version control
6. Use API Keys: For REST API operations, use proper API key management

Next Steps

• Vault Overview - Learn more about vaults
• CLI Guide - Use the CLI for vault operations
• API Reference - Explore the full API