🏠 back to Observable

Password protected secrets in public notebooks

This is a lightweight way of embedding a secret into a public notebook that is decrypted if the correct password is presented.

The idea that there is some privileged user (e.g. the notebook author) that needs to run some admin commands occasionally but most users do not.

This is simpler than hiding an API KEY for public use (Is it possible to encapsulate Secret-based code for public notebook use? - #4 by ciscorucinski), as we do not need to hide the secret from the accessing user in another environment.


Tom: Thank you! This is totally huge. I am toying around with it now and don’t exactly have a handle yet on how to implement, but if I am reading correctly you’ve now completely contained all encryption and decryption functions within a notebook?! Can I now store, say, an AWS IAM key value within a notebook without exposing it as clear text without involving some intermediary to help manage that handshake (if I am reading this right - I assume this is a ‘yes’) ?

I haven’t yet got my head around how I will pass my traffic to and from AWS through this encryption to arrive at the key, but I am totally eager to learn. Can’t wait to find a few minutes to play! Thank you!


Yeah, keys were my motivation. The password holder decrypts the payload in their browser, so, they are exposed to the plaintext key, but in the situations I would use this, thats ok as they are a privileged user.

My previous notebook Password Secured Clientside AWS Notebook / Tom Larkworthy / Observable hid the secret offsite, but this notebook stores the secret locally but encrypted which is nicer if you are ok with the plaintext secret being exposed to the password holder.

1 Like

Ah thank you! I am seeing more clearly now how this works. :slight_smile: Thank you so much for sharing! This is terrific.

1 Like

Here is a full example, using Google Service account credentials (which are similar to IAM keys).

1 Like