7👍
The original question was about how to keep secrets in environment variables. This is discussed extensively in the book Two Scoops of Django. Below is a summary of what they said, followed by a caveat about using this technique.
Starting on page 48 (Section 5.3) of the edition for 1.11:
Every operating system supported by Django (and Python) provides the
easy capability to create environment variables.Here are the benefits of using environment variables for secret keys:
- Keeping secrets out of settings allows you to store every settings file in version control without hesitation. All of your Python code
really should be stored in version control, including your settings.- Instead of each developer maintaining their own copy-and-pasted version of local_settings.py.example for development, everyone shares
the same version-controlled settings/local.py .- System administrators can rapidly deploy the project without having to modify files containing Python code.
- Most platforms-as-a-service recommend the use of environment variables for configuration and have built-in features for setting and
managing them.
On the following page, the book continues:
Before you begin setting environment variables, you should have the
following:
- A way to manage the secret information you are going to store.
- A good understanding of how bash settings work on servers, or a willingness to have your project hosted by a platform-as-a-service.
They describe how to set the environment variables locally and in production (with Heroku as an example–you will need to check if you are using a different host this is just one possibility):
How To Set Environment Variables Locally
export SOME_SECRET_KEY=1c3-cr3am-15-yummyHow To Set Environment Variables in Production
heroku config:set SOME_SECRET_KEY=1c3-cr3am-15-yummy
Finally, on page 52 they give instructions for how to access the key. For instance you could put the first two lines below in your settings file to replace the raw key string that is put there by default:
>>> import os >>> os.environ['SOME_SECRET_KEY'] '1c3-cr3am-15-yummy'This snippet simply gets the value of the SOME_SECRET_KEY environment
variable from the operating system and saves it to a Python variable
called SOME_SECRET_KEY.Following this pattern means all code can remain in version control,
and all secrets remain safe.
Note this will not work in some cases, for instance if you are using an Apache server. To deal with situations where this pattern will not work, you should see Section 5.4 of their book (‘When You Can’t Use Environment Variables’). In that case, they recommend use a secret file.
As of late 2017, this technique of storing secrets in your environment variables is the recommended best practice in Two Scoops and in the Twelve Factor App design pattern. It is also recommended at the Django docs. However, there are some security risks: if some developer, or some code, has access to your system, they will have access to your environment variables and may inadvertently (or advertently) make them public. This point was made by Michael Reinsch here:
http://movingfast.io/articles/environment-variables-considered-harmful/
6👍
Store your local_settings.py data in a file encrypted with GPG – preferably as strictly key=value lines which you parse and assign to a dict (the other attractive approach would be to have it as executable python, but executable code in config files makes me shiver).
There’s a python gpg module so that’s not a problem. Get your keys from your keyring, and use the GPG keyring management tools so you don’t have to keep typing in your keychain password. Make sure you are reading the data straight from the encrypted file, and not just creating a decrypted temporary file which you read in. That’s a recipe for fail.
That’s just an outline, you’ll have to build it yourself.
This way the secret data remains solely in the process memory space, and not in a file or in environment variables.
- [Django]-Celery – Get task id for current task
- [Django]-Correct Way to Validate Django Model Objects?
- [Django]-Understanding Django-LDAP authentication
6👍
I doing my Django projects using Windows 7 and Powershell, so for me it was slightly different to set the environment variable. Once it was set though, I just did the following in my settings.py file:
import os
SECRET_KEY = os.environ["SOME_SECRET_KEY"]
To set a environment variable in Windows using PowerShell follow the instructions in the link below:
- [Django]-Django startswith on fields
- [Django]-Django batching/bulk update_or_create?
- [Django]-Django filter queryset on "tuples" of values for multiple columns
5👍
Ideally, local_settings.py should not be checked in for production/deployed server. You can keep backup copy somewhere else, but not in source control.
local_settings.py can be checked in with development configuration just for convenience, so that each developer need to change it.
Does that solve your problem?
- [Django]-How to apply multiple filters on a Django template variable?
- [Django]-Django REST Framework – Serializing optional fields
- [Django]-Is there a way to get custom Django admin actions to appear on the "change" view in addition to the "change list" view?
2👍
I wrote a getcreds() function which gets the secret key from a file. I keep the file in a place accessible to www-data so wherever I need credentials in settings.py I just make the call to getcreds() passing in the filename as an argument. It returns a list of all lines in the file and bingo I have the hidden secrets. Here is the code …
from __future__ import unicode_literals, absolute_import
import os
def getcreds(fname, project, credsroot='/var/www/creds', credsdir=None):
""" return a list of userid and password and perhaps other data """
if credsdir is None:
credsdir = os.path.join(credsroot, project)
creds = list()
fname = os.path.join(credsdir, fname).replace("\\", "/")
with open(fname, 'r') as f:
for line in f:
# remove leading/trailing whitespace and append to list
creds.append(line.strip())
assert creds, "The list of credentials is empty"
return creds
- [Django]-Page not found 404 Django media files
- [Django]-Display django-pandas dataframe in a django template
- [Django]-Django project models.py versus app models.py
2👍
Here’s one way to do it that is compatible with deployment on Heroku:
-
Create a gitignored file named
.envcontaining:export DJANGO_SECRET_KEY = 'replace-this-with-the-secret-key' -
Then edit
settings.pyto remove the actualSECRET_KEYand add this instead:SECRET_KEY = os.environ['DJANGO_SECRET_KEY'] -
Then when you want to run the development server locally, use:
source .env
python manage.py runserver -
When you finally deploy to Heroku, go to your app Settings tab and add DJANGO_SECRET_KEY to the Config Vars.
- [Django]-How to set ForeignKey in CreateView?
- [Django]-How does pgBouncer help to speed up Django
- [Django]-Django dumpdata UTF-8 (Unicode)
0👍
You can use keyring to store secret keys you don’t want in your files.
First set the secret key by calling keyring.set_password. This only needs to be done once.
import keyring
keyring.set_password("my_app", "secret_key", "af8b6067-c72d")
Once set, you can access your key with keyring.get_password
import keyring
secret_key = keyring.get_password("my_app", "secret_key")
# secret_key = "af8b6067-c72d"
- [Django]-Stack trace from manage.py runserver not appearing
- [Django]-Use "contains" and "iexact" at the same query in DJANGO
- [Django]-Django's SuspiciousOperation Invalid HTTP_HOST header
- [Django]-How to make Django's DateTimeField optional?
- [Django]-Django Rest Framework Postman Token Authentication
- [Django]-Can you change a field label in the Django Admin application?