django-root-secret 0.2.0

Django package for managing a single root encryption key and decrypting embedded secrets.

django-root-secret

django-root-secret is a Django package for managing one root encryption key per environment and decrypting encrypted literals at runtime.

django-root-secret reduces the number of plaintext secrets you need to manage and tries to minimize the number of environment variables your project depends on. Large .env files are a common source of configuration errors because variables can be missing, misnamed, outdated, or inconsistent across environments. This package keeps the env file minimal by storing only ROOT_ENCRYPTION_KEY there and encrypting the rest.

Installation

Install the package:

pip install django-root-secret

Add the app to INSTALLED_APPS:

INSTALLED_APPS = [
    ...,
    "django_root_secret",
]

Commands

Generate a root key file:

python manage.py generate_root_encryption_key --env development

This creates development.env in the current working directory with only:

# This file must only contain ROOT_ENCRYPTION_KEY.
# Encrypt every other secret with this key and keep the file private.
ROOT_ENCRYPTION_KEY=...

If development.env is not already ignored by Git, the command also adds it to .gitignore.

Encrypt a plaintext secret using that file and bring up a prompt to paste the secret:

python manage.py encrypt_secret --env development
# Value to encrypt: [hidden input]

At runtime, make ROOT_ENCRYPTION_KEY available through your environment or deployment secret manager:

export ROOT_ENCRYPTION_KEY="..."

Then use the encrypted output in code:

from django_root_secret import get_secret

DATABASE_PASSWORD = get_secret("gAAAAAB...")

Note

This package started as an internal tool at Hipo, and it brings back memories of a team I still appreciate deeply. 🦛