> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/release-notes/enterprise/keeper-secrets-manager/2026/python-storage-1.1.0.md).

# Python Storage 1.1.0

> **Breaking changes**
>
> **Python minimum version:** Raised from 3.6 to 3.9.2. Pin to `keeper-secrets-manager-storage<1.1.0` to stay on Python 3.6–3.8.
>
> **Core SDK minimum version:** Raised from any to 17.2.0.
>
> **KSM-964 — decrypt\_config() autosave default:** Changed from `True` to `False`. Calling `decrypt_config()` without arguments no longer writes plaintext credentials to disk. Pass `autosave=True` explicitly to preserve the previous behavior.

* **KSM-959:** All five backends are now thread-safe — added `threading.RLock` to prevent data corruption under concurrent reads and writes.
* **KSM-960:** Replaced MD5 with SHA-256 for change-detection hashing; fixed Azure AES-GCM nonce from 16 to 12 bytes (NIST SP 800-38D compliance).
* **KSM-961:** Encrypt/decrypt failures now raise instead of silently corrupting storage state.
* **KSM-962:** `delete_all()` now removes the backing config file instead of writing an empty encrypted blob.
* **KSM-963:** `__save_config` writes to disk before updating in-memory state — prevents in-memory/on-disk divergence on write failure.
* **KSM-965:** A plaintext `{}` bootstrap config is now correctly re-encrypted on first load instead of falling into the binary decrypt path.
* **KSM-966:** `_get_instance_region` and `read_config` (AWS Secrets Manager provider) now raise on failure instead of silently returning empty values.
* **KSM-967:** `AwsSecretStorage.__init__` now eagerly loads config on construction, matching all other backends; accepts any valid JSON dict (no longer requires `privateKey`).
* **KSM-972:** Non-UTF8 bytes that are not a valid encrypted blob now raise a clear `"is not a valid encrypted config file"` exception across all encrypted backends (nfast, AWS KMS, Azure KeyVault).
* **KSM-977:** `AwsSecretStorage.__load_config()` now raises when the underlying AWS Secrets Manager call fails — previously the exception was logged but not propagated, leaving `config = {}` silently.
* **KSM-978:** HsmNfast and AwsKms now raise `"is not a valid encrypted config file"` when decryption produces empty output — previously HsmNfast leaked a bare `JSONDecodeError` and AwsKms logged silently without raising, unlike Azure.
* **KSM-979:** `__save_config` and `create_config_file_if_missing` now use atomic writes (write to `<path>.tmp`, then `os.replace`) across all three encrypted file backends (Azure KeyVault, AWS KMS, HsmNfast) — a write failure no longer truncates the existing config to 0 bytes, and an encrypt failure in `create_config_file_if_missing` no longer leaves a 0-byte stub on disk.

**Security updates**

* **KSM-777:** Raised `keeper-secrets-manager-core` floor to ≥17.2.0, which transitively mandates `cryptography>=46.0.5` (fixing [CVE-2026-26007](https://nvd.nist.gov/vuln/detail/CVE-2026-26007), ECDH subgroup attack on SECT curves, HIGH, CVSS 8.2), `urllib3>=2.6.3`, and `requests>=2.32.4` (fixing [CVE-2024-47081](https://nvd.nist.gov/vuln/detail/CVE-2024-47081), `.netrc` credential leak, MEDIUM, CVSS 5.3).

**Links:**

* [PyPI package](https://pypi.org/project/keeper-secrets-manager-storage/1.1.0/)
* See [Python SDK Documentation](https://docs.keeper.io/en/keeperpam/secrets-manager/developer-sdk-library/python-sdk)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.keeper.io/release-notes/enterprise/keeper-secrets-manager/2026/python-storage-1.1.0.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.