How to I hide my secret_key using virtualenv and Django?
Question:
I am using Django, python, virtualenv, virtualenvwrapper and Vagrant.
So far I have simply left my secret_key inside of the settings.py file.
This works file for local files. However I have already placed my files in Git. I know this is not acceptable for production(Apache).
What is the correct way to go about hiding my secret_key?
Should I use virtualenv to hide it?
Answers:
Common approach, if you’d like to configure region, but did not want to store sensitive information in repo, is to pass it through environment variables. When you need it just call os.environ('SECRET') (even in your settings.py). Better with some fallback value.
Virtualenv does not helps you to hide anything, it just prevent you system-wide Python installation from littering by one-project-required-packages.
You can create a file named secret_settings.py and place your SECRET_KEY inside this file. Then add this file to .gitignore.
Then in your settings, you can remove the secret key variable and import it from there. This should ensure that SECRET_KEY variable remains out of version control.
Create a file named secret_settings and then place your SECRET_KEY and other secret settings in it.
SECRET_KEY = .. # add your setting here
Then in your settings.py file, import these settings.
from secret_settings import *
Finally, add secret_settings.py to your .gitignore file.
Note:
If you already have committed some sensitive data to your repo, then change it!
As per Github website in the removing sensitive data article:
If you committed a password, change it! If you committed a key,
generate a new one.
Check this link on how to purge a file from your repository’s history.
There’s a lot of different methods to hide secrets.
-
Use another, non-versioned file.
Create a new file secrets.py or what have you and put your secrets in that. Place it alongside your settings file and place everything secret in there; then in your settings file put from secrets import * at the top. Then, like Rahul said, add a .gitignore file and add secrets.py to this file so that it won’t be committed.
The disadvantage of this approach is that there is no source control at all on that file; if you lose it you’re SOL.
-
Use environment variables.
Use the Apache SetEnv or PassEnv directives to pass environment variables to your process, then retrieve them with os.environ() in your settings file. This has the advantage in that in development, you can set new variables (as simply as VAR1=whatever VAR2=whatever ... ./manage.py runserver ...) or set them from whatever mechanism you use to launch your development project.
The disadvantage is much the same; if you lose your Apache configs you’re boned.
-
Use a second repository in combination with method 1.
Personally, I like the idea of having a dedicated secrets repository that you put all your secrets into and keep that repo under lock and key. Then as part of your deployment process, you can use git archive or another similar command to extract the proper keys for the place you’re deploying to, and you can keep your secrets backed up and under version control easily. You can also add the appropriate files in the secrets repo to the .gitingore file of your site repository so that they don’t accidentally get committed.
The downside of this is that you have another extra repository and another deployment step. I think that’s worth it, personally, but it’s really up to you.
In general, the more secure you want it, the more inconvenient it’s going to be to access those secrets. That’s really a rule in general, though.
The solution I use is to create a file sec.py and place it next to my settings.py file. Then in at line 1 of settings.py call from .sec import *. Be sure to include the period in front of the file name. Be sure to list sec.py in your .gitignore file.
I create an .env file in the root directory of the project. Next, I copy SECRET_KEY to the .env file. I remove quotes from the key and spaces (SECRET_KEY=django-insecureÑ…jsdsdk 8747373884dydfds)). Next, install the pip install python-decouple library. After I do the import in settings.py – from decouple import config. Further in the field SECRET_KEY = config(‘SECRET_KEY’). Don’t forget to add .env in gitignore.
I am using Django, python, virtualenv, virtualenvwrapper and Vagrant.
So far I have simply left my secret_key inside of the settings.py file.
This works file for local files. However I have already placed my files in Git. I know this is not acceptable for production(Apache).
What is the correct way to go about hiding my secret_key?
Should I use virtualenv to hide it?
Common approach, if you’d like to configure region, but did not want to store sensitive information in repo, is to pass it through environment variables. When you need it just call os.environ('SECRET') (even in your settings.py). Better with some fallback value.
Virtualenv does not helps you to hide anything, it just prevent you system-wide Python installation from littering by one-project-required-packages.
You can create a file named secret_settings.py and place your SECRET_KEY inside this file. Then add this file to .gitignore.
Then in your settings, you can remove the secret key variable and import it from there. This should ensure that SECRET_KEY variable remains out of version control.
Create a file named secret_settings and then place your SECRET_KEY and other secret settings in it.
SECRET_KEY = .. # add your setting here
Then in your settings.py file, import these settings.
from secret_settings import *
Finally, add secret_settings.py to your .gitignore file.
Note:
If you already have committed some sensitive data to your repo, then change it!
As per Github website in the removing sensitive data article:
If you committed a password, change it! If you committed a key,
generate a new one.
Check this link on how to purge a file from your repository’s history.
There’s a lot of different methods to hide secrets.
-
Use another, non-versioned file.
Create a new file
secrets.pyor what have you and put your secrets in that. Place it alongside your settings file and place everything secret in there; then in your settings file putfrom secrets import *at the top. Then, like Rahul said, add a.gitignorefile and addsecrets.pyto this file so that it won’t be committed.The disadvantage of this approach is that there is no source control at all on that file; if you lose it you’re SOL.
-
Use environment variables.
Use the Apache
SetEnvorPassEnvdirectives to pass environment variables to your process, then retrieve them withos.environ()in your settings file. This has the advantage in that in development, you can set new variables (as simply asVAR1=whatever VAR2=whatever ... ./manage.py runserver ...) or set them from whatever mechanism you use to launch your development project.The disadvantage is much the same; if you lose your Apache configs you’re boned.
-
Use a second repository in combination with method 1.
Personally, I like the idea of having a dedicated
secretsrepository that you put all your secrets into and keep that repo under lock and key. Then as part of your deployment process, you can usegit archiveor another similar command to extract the proper keys for the place you’re deploying to, and you can keep your secrets backed up and under version control easily. You can also add the appropriate files in thesecretsrepo to the.gitingorefile of your site repository so that they don’t accidentally get committed.The downside of this is that you have another extra repository and another deployment step. I think that’s worth it, personally, but it’s really up to you.
In general, the more secure you want it, the more inconvenient it’s going to be to access those secrets. That’s really a rule in general, though.
The solution I use is to create a file sec.py and place it next to my settings.py file. Then in at line 1 of settings.py call from .sec import *. Be sure to include the period in front of the file name. Be sure to list sec.py in your .gitignore file.
I create an .env file in the root directory of the project. Next, I copy SECRET_KEY to the .env file. I remove quotes from the key and spaces (SECRET_KEY=django-insecureÑ…jsdsdk 8747373884dydfds)). Next, install the pip install python-decouple library. After I do the import in settings.py – from decouple import config. Further in the field SECRET_KEY = config(‘SECRET_KEY’). Don’t forget to add .env in gitignore.