Skip to main content

A Django app for managing secrets.

Project description

django-encrypted-secrets

CircleCI Django Versions Python Versions

django-encrypted-secrets brings Rails-style credential encryption to the Django web framework.

Installation

To install django-encrypted-secrets, first pip install the module:

$ pip install django-encrypted-secrets

Add encrypted_secrets to INSTALLED_APPS in your django settings file:

INSTALLED_APPS = [
    ...
    'encrypted_secrets'
]

Finally, you must call load_secrets() from within your manage.py and wsgi.py files:

#!/usr/bin/env python
import os
import sys
from encrypted_secrets import load_secrets

if __name__ == "__main__":
    load_secrets()
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "yourapp.settings")
    # ...

Usage

django-encrypted-secrets works by using a key (stored locally in master.key file or read from the environment variable DJANGO_MASTER_KEY) and reading/writing secrets to the encrypted file secrets.yml.enc.

./manage.py init_secrets

You can edit the secrets by running:

./manage.py edit_secrets

When you save the file in your editor, its contents are encrypted and used to overwrite the secrets.yml.enc file.

Finally, to read secrets within your codebase, use the get_secret utility:

from encrypted_secrets import get_secret

# ...

secret_api_key = get_secret("secret_api_key")

You should always keep your master.key file .gitignored.

env mode (experimental)

django-encrypted-secrets experimentally supports loading key-value pairs from an encrypted file written in the dotenv format directly into the environment. To use this style of variable loading, you must pass env_mode=True to your load_secrets call in manage.py and wsgi.py:

#!/usr/bin/env python
import os
import sys
from encrypted_secrets import load_secrets

if __name__ == "__main__":
    load_secrets(env_mode=True) # <- important
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "yourapp.settings")
    # ...

You must also pass the --mode=env flag to the init_secrets management command when initializing django-encrypted-secrets:

$ ./manage.py init_secrets --mode=env

A template encrypted dotenv-type file will be written to secrets.env.enc. When using env mode, secrets are automatically added to the environment. This means that, in addition to being able to read secrets using the get_secret helper method, you may also read them as ordinary environment variables. If an environment variable configured in the file already exists in the environment, it will not be overriden. This is because we assume that you may want to override variables from django-encrypted-secrets with environment variables set in your deployment environment.

Example of reading environment variables directly from the environment and using get_secret:

import os
from encrypted_secrets import get_secret

# option 1 - read directly from the environment:
secret_api_key = os.environ.get('SECRET_API_KEY')

# option 2 - use get_secret:
secret_api_key = get_secret('SECRET_API_KEY')

Production considerations

django-encrypted-secrets looks for the encrypted secrets file within the current working directory from which you execute management commands (using os.getcwd()). This is implicitly the project root directory. Depending on your production server configuration, os.getcwd() may not actully return the project root. For production, we therefore recommend you explicitly set a DJANGO_SECRETS_ROOT environment variable pointing to the project root to hint to django-encrypted-secrets where it should look for the encrypted secrets file.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-encrypted-secrets-0.9.7.tar.gz (7.7 kB view details)

Uploaded Source

File details

Details for the file django-encrypted-secrets-0.9.7.tar.gz.

File metadata

  • Download URL: django-encrypted-secrets-0.9.7.tar.gz
  • Upload date:
  • Size: 7.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/41.0.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.3

File hashes

Hashes for django-encrypted-secrets-0.9.7.tar.gz
Algorithm Hash digest
SHA256 3d725fb3920c63f1b07746b9016314708e621e199b6fab5d15dec20534857bc9
MD5 5392dabf142b2565278e9d9dd5462df2
BLAKE2b-256 7fe57252885d5b20ce1763aef928065fd98cf7ad31dcf2ec75ffc7b6844402b0

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page