A Django app for managing secrets.
Project description
django-encrypted-secrets
django-encrypted-secrets
brings Rails-style encrypted credentials to the Django web framework.
Installation
To install django-encrypted-secrets
, first pip install the module:
$ pip install django-encrypted-secrets
Add encrypted_secrets
to INSTALLED_APPS in your django settings file:
INSTALLED_APPS = [
...
'encrypted_secrets'
]
Finally, you must call load_secrets()
from within your manage.py
and wsgi.py
files:
#!/usr/bin/env python
import os
import sys
from encrypted_secrets import load_secrets
if __name__ == "__main__":
load_secrets()
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "yourapp.settings")
# ...
Usage
django-encrypted-secrets
works by using a key (stored locally in master.key
file or read from the environment variable DJANGO_MASTER_KEY
) and reading/writing secrets to the encrypted file secrets.yml.enc
.
./manage.py init_secrets
You can edit the secrets by running:
./manage.py edit_secrets
When you save the file in your editor, its contents are encrypted and used to overwrite the secrets.yml.enc
file.
Finally, to read secrets within your codebase, use the get_secret
utility:
from encrypted_secrets import get_secret
# ...
secret_api_key = get_secret("secret_api_key")
You should always keep your master.key
file .gitignored
.
env mode (experimental)
django-encrypted-secrets
experimentally supports loading key-value pairs from an encrypted file written in the dotenv format directly into the environment. To use this style of variable loading, you must pass env_mode=True
to your load_secrets
call in manage.py
and wsgi.py
:
#!/usr/bin/env python
import os
import sys
from encrypted_secrets import load_secrets
if __name__ == "__main__":
load_secrets(env_mode=True) # <- important
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "yourapp.settings")
# ...
You must also pass the --mode=env
flag to the init_secrets
management command when initializing django-encrypted-secrets
:
$ ./manage.py init_secrets --mode=env
A template encrypted dotenv-type file will be written to secrets.env.enc
. When using env mode, secrets are automatically merged into the environment. This means that, in addition to being able to read secrets using the get_secret
helper method, you may also read them as ordinary environment variables:
import os
secret_api_key = os.environ.get('SECRET_API_KEY')
Production considerations
django-encrypted-secrets
looks for the encrypted secrets file within the current working directory from which you execute management commands (using os.getcwd()
). This is implicitly the project root directory. Depending on your production server configuration, os.getcwd()
may not actully return the project root. For production, we therefore recommend you explicitly set a DJANGO_SECRETS_ROOT
environment variable pointing to the project root to hint to django-encrypted-secrets
where it should look for the encrypted secrets file.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-encrypted-secrets-0.9.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8a65f9a9a833114fec45d6c117c0aa2fadfbfd707e83f481d7a2c1177136899f |
|
MD5 | 19a4fce66e9dc43519ff6bb36f0e5385 |
|
BLAKE2b-256 | 0fcb0fb572ccf2599c17a9e18971322a82d165a5170eb86a998433d9c3784857 |
Hashes for django_encrypted_secrets-0.9.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d77afafd9602eea28ce4c3c99df83f895a432f6d70ee5ba509f1872b9cdd2940 |
|
MD5 | ffae44538fbc22f2211d3b32d40e7c47 |
|
BLAKE2b-256 | 446ad1a06eb2ba0e8eae2d1245d08c5888dfa7e75223e20303547b769770fcfa |