Skip to main content

A Django app for managing secrets.

Project description

django-encrypted-secrets

CircleCI Django Versions Python Versions

django-encrypted-secrets brings Rails-style credential encryption to the Django web framework.

Installation

To install django-encrypted-secrets, first pip install the module:

$ pip install django-encrypted-secrets

Add encrypted_secrets to INSTALLED_APPS in your django settings file:

INSTALLED_APPS = [
    ...
    'encrypted_secrets'
]

Finally, you must call load_secrets() from within your manage.py and wsgi.py files:

#!/usr/bin/env python
import os
import sys
from encrypted_secrets import load_secrets

if __name__ == "__main__":
    load_secrets()
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "yourapp.settings")
    # ...

Usage

django-encrypted-secrets works by using a key (stored locally in master.key file or read from the environment variable DJANGO_MASTER_KEY) and reading/writing secrets to the encrypted file secrets.yml.enc.

./manage.py init_secrets

You can edit the secrets by running:

./manage.py edit_secrets

When you save the file in your editor, its contents are encrypted and used to overwrite the secrets.yml.enc file.

Finally, to read secrets within your codebase, use the get_secret utility:

from encrypted_secrets import get_secret

# ...

secret_api_key = get_secret("secret_api_key")

You should always keep your master.key file .gitignored.

env mode (experimental)

django-encrypted-secrets experimentally supports loading key-value pairs from an encrypted file written in the dotenv format directly into the environment. To use this style of variable loading, you must pass env_mode=True to your load_secrets call in manage.py and wsgi.py:

#!/usr/bin/env python
import os
import sys
from encrypted_secrets import load_secrets

if __name__ == "__main__":
    load_secrets(env_mode=True) # <- important
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "yourapp.settings")
    # ...

You must also pass the --mode=env flag to the init_secrets management command when initializing django-encrypted-secrets:

$ ./manage.py init_secrets --mode=env

A template encrypted dotenv-type file will be written to secrets.env.enc. When using env mode, secrets are automatically added to the environment. This means that, in addition to being able to read secrets using the get_secret helper method, you may also read them as ordinary environment variables. If an environment variable configured in the file already exists in the environment, it will not be overriden. This is because we assume that you may want to override variables from django-encrypted-secrets with environment variables set in your deployment environment.

Example of reading environment variables directly from the environment and using get_secret:

import os
from encrypted_secrets import get_secret

# option 1 - read directly from the environment:
secret_api_key = os.environ.get('SECRET_API_KEY')

# option 2 - use get_secret:
secret_api_key = get_secret('SECRET_API_KEY')

Production considerations

django-encrypted-secrets looks for the encrypted secrets file within the current working directory from which you execute management commands (using os.getcwd()). This is implicitly the project root directory. Depending on your production server configuration, os.getcwd() may not actully return the project root. For production, we therefore recommend you explicitly set a DJANGO_SECRETS_ROOT environment variable pointing to the project root to hint to django-encrypted-secrets where it should look for the encrypted secrets file.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-encrypted-secrets-0.9.6.tar.gz (7.0 kB view details)

Uploaded Source

File details

Details for the file django-encrypted-secrets-0.9.6.tar.gz.

File metadata

  • Download URL: django-encrypted-secrets-0.9.6.tar.gz
  • Upload date:
  • Size: 7.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/41.0.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.3

File hashes

Hashes for django-encrypted-secrets-0.9.6.tar.gz
Algorithm Hash digest
SHA256 da439ad47d0a4a4f644db6e75c6affcd6c25deca987a030dab70991aa4965053
MD5 ac891839b9d8da520ae42c539b87aa0e
BLAKE2b-256 aea7a9615cfcbc4b45cf707f44822d0438beaf701aa6e1009e6aafcf3c4ce7d7

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page