Re: Django SECRET KEY

[Michael Rohan]

Hi Folks,

An extension of this local file is the project django-yamlconf (See
https://django-yamlconf.readthedocs.io/en/latest/).  It allows general
over-ride of settings.  It is my project (full disclosure).

Take care,
Michael.

On Wed, Nov 4, 2020 at 3:51 PM Mike Dewhirst  wrote:

> On 5/11/2020 1:54 am, Kegan Ronholt wrote:
> > What is the best practice for hiding SECRET key in settings.py in
> > production. I am finding all sorts of different ways to do it, but
> > none seem to work.
>
> I keep it in a file left out of the repository but in a "standard"
> location known to the web server.
>
> I have a simple utility to read the file into a list and just use a list
> item as the secret key. I like it because there are typicaly half a
> dozen different secrets per project. They include database credentials,
> email server details, captcha keys and so on. It is handy having a
> system to get all such stuff without needing to store it unsafely. I
> also like using the top few lines for credentials and lower lines for
> comments.
>
> My standard location for such files includes a directory name based on
> project name established in the settings so I don't have to think too
> hard to manage credentials of any sort when creating new projects.
>
> My view is that the only way secrecy can be compromised is if the server
> itself is pwned. At that point you have to start again anyway.
>
> Cheers
>
> Mike
>
> >
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Django users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to django-users+unsubscr...@googlegroups.com
> > <mailto:django-users+unsubscr...@googlegroups.com>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com
> > <
> https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com?utm_medium=email_source=footer
> >.
>
>
> --
> Signed email is an absolute defence against phishing. This email has
> been signed with my private key. If you import my public key you can
> automatically decrypt my signature and be sure it came from me. Just
> ask and I'll send it to you. Your email software can handle signing.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/ad2ead73-7a13-b5ac-ee10-cf60edc92323%40dewhirst.com.au
> .
>


-- 
Michael Rohan
mro...@acm.org

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAOCsNFiQ%2BoTW-gSjh37jg0CBvFOw6kc3jrMvfDTB15LtP0BLiQ%40mail.gmail.com.

Re: Django SECRET KEY

[Mike Dewhirst]

On 5/11/2020 1:54 am, Kegan Ronholt wrote:
> What is the best practice for hiding SECRET key in settings.py in
> production. I am finding all sorts of different ways to do it, but
> none seem to work.

I keep it in a file left out of the repository but in a "standard"
location known to the web server.

I have a simple utility to read the file into a list and just use a list
item as the secret key. I like it because there are typicaly half a
dozen different secrets per project. They include database credentials,
email server details, captcha keys and so on. It is handy having a
system to get all such stuff without needing to store it unsafely. I
also like using the top few lines for credentials and lower lines for
comments.

My standard location for such files includes a directory name based on
project name established in the settings so I don't have to think too
hard to manage credentials of any sort when creating new projects.

My view is that the only way secrecy can be compromised is if the server
itself is pwned. At that point you have to start again anyway.

Cheers

Mike

>
>
> -- 
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users+unsubscr...@googlegroups.com
> <mailto:django-users+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com?utm_medium=email_source=footer>.


-- 
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/ad2ead73-7a13-b5ac-ee10-cf60edc92323%40dewhirst.com.au.

Re: Django SECRET KEY

[Abhishek Choudhury]

I use the Environment variable that is in Windows and later in the script I
pull the values using os.environ.get('Key_Name')  #Since this is a
dictionary, we use '' " .

*With Best Regards,*
Abhishek Choudhury
Ph. No.: +91 7903717967
LinkedIN:  https://www.linkedin.com/in/yesabhishek/





On Wed, Nov 4, 2020 at 8:30 PM Kegan Ronholt  wrote:

> What is the best practice for hiding SECRET key in settings.py in
> production. I am finding all sorts of different ways to do it, but none
> seem to work.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CA%2B3kJUZWS%3D_UWYLXuYs8nncVUeo_MDG8jbBzshXg1_k_houZ4w%40mail.gmail.com.

Django SECRET KEY

[Kegan Ronholt]

What is the best practice for hiding SECRET key in settings.py in 
production. I am finding all sorts of different ways to do it, but none 
seem to work.


-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com.

Re: Environment Variables for Django Secret Key etc On Windows 10 and Heroku

[dum dum]

without any quotes.

[image: image.png]



On Tue, Sep 15, 2020 at 5:10 AM coolguy 
wrote:

> Did you input the variable value under single quote or without it?
>
> e.g. ''
>
> On Saturday, September 12, 2020 at 12:35:29 PM UTC-4 hanz...@gmail.com
> wrote:
>
>> Yes, I've seen so many tutorials. I did the same thing, and didn't work.
>> I believe there is something wrong with my Django Project. I don't know
>> what it is.
>> Still tinkering.
>>
>>
>> On Sat, Sep 12, 2020 at 9:38 PM Mbah Victor 
>> wrote:
>>
>>> Have you try googling your problem
>>>
>>> Victor
>>>
>>> On Sat, Sep 12, 2020, 9:34 AM dum dum  wrote:
>>>
>>>> I tried to put my Django Secret Key in Environment Variables.
>>>>
>>>> SECRET_KEY = os.environ.get('SECRET_KEY')
>>>>
>>>> I did save the SECRET_KEY on env var windows 10 like this
>>>> [image: image.png]
>>>>
>>>>
>>>> When I tried to py manage.py runserver, I got this error
>>>>
>>>> django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must 
>>>> not be empty.
>>>>
>>>> I followed this
>>>>
>>>> https://stackoverflow.com/questions/19681102/my-django-secret-key-is-in-an-environment-variable-but-i-cant-do-syncdb
>>>>
>>>> But no idea with the solution..
>>>>
>>>> At this point, strange thing even occurred, I tried to py manage.py
>>>> without any SECRET_KEY on my Env Var on windows 10, and just leaving
>>>>   SECRET_KEY = os.environ.get('SECRET_KEY')
>>>> in my settings.py.
>>>>
>>>> I got no error.
>>>>
>>>> Strange.. But when I deployed it on heroku, it says the same error like
>>>> this
>>>> django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting
>>>> must not be empty.
>>>>
>>>> Is anyone here experienced the same stuck like me? Please kindly
>>>> advise. Thanks
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Django users" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to django-users...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/django-users/CANV3w%3DYdb3SuiC7KYrkN4bfieQx-fQxhm%2BPeMLpxJDWubVbwyA%40mail.gmail.com
>>>> <https://groups.google.com/d/msgid/django-users/CANV3w%3DYdb3SuiC7KYrkN4bfieQx-fQxhm%2BPeMLpxJDWubVbwyA%40mail.gmail.com?utm_medium=email_source=footer>
>>>> .
>>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-users...@googlegroups.com.
>>>
>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/django-users/CANTsAyc%3D%3DBLN7a0_c8rYd%3DsLHyWq78CHxAQr6Sa_PMcqtP7Cwg%40mail.gmail.com
>>> <https://groups.google.com/d/msgid/django-users/CANTsAyc%3D%3DBLN7a0_c8rYd%3DsLHyWq78CHxAQr6Sa_PMcqtP7Cwg%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/11d60767-06d3-4d4c-8435-10151e5726cdn%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/11d60767-06d3-4d4c-8435-10151e5726cdn%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CANV3w%3DYfmW4HTKVNdbkXKn5iNAd5%3DMt1OtLY60i%3DBni3yHSANw%40mail.gmail.com.

Re: Environment Variables for Django Secret Key etc On Windows 10 and Heroku

[coolguy]

Did you input the variable value under single quote or without it?

e.g. ''

On Saturday, September 12, 2020 at 12:35:29 PM UTC-4 hanz...@gmail.com 
wrote:

> Yes, I've seen so many tutorials. I did the same thing, and didn't work. 
> I believe there is something wrong with my Django Project. I don't know 
> what it is.
> Still tinkering.
>
>
> On Sat, Sep 12, 2020 at 9:38 PM Mbah Victor  wrote:
>
>> Have you try googling your problem
>>
>> Victor
>>
>> On Sat, Sep 12, 2020, 9:34 AM dum dum  wrote:
>>
>>> I tried to put my Django Secret Key in Environment Variables.
>>>
>>> SECRET_KEY = os.environ.get('SECRET_KEY')
>>>
>>> I did save the SECRET_KEY on env var windows 10 like this
>>> [image: image.png]
>>>
>>>
>>> When I tried to py manage.py runserver, I got this error
>>>
>>> django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must 
>>> not be empty.
>>>
>>> I followed this 
>>>
>>> https://stackoverflow.com/questions/19681102/my-django-secret-key-is-in-an-environment-variable-but-i-cant-do-syncdb
>>>
>>> But no idea with the solution..
>>>
>>> At this point, strange thing even occurred, I tried to py manage.py 
>>> without any SECRET_KEY on my Env Var on windows 10, and just leaving 
>>>   SECRET_KEY = os.environ.get('SECRET_KEY') 
>>> in my settings.py.
>>>
>>> I got no error.
>>>
>>> Strange.. But when I deployed it on heroku, it says the same error like 
>>> this 
>>> django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting 
>>> must not be empty. 
>>>
>>> Is anyone here experienced the same stuck like me? Please kindly advise. 
>>> Thanks 
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to django-users...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/django-users/CANV3w%3DYdb3SuiC7KYrkN4bfieQx-fQxhm%2BPeMLpxJDWubVbwyA%40mail.gmail.com
>>>  
>>> <https://groups.google.com/d/msgid/django-users/CANV3w%3DYdb3SuiC7KYrkN4bfieQx-fQxhm%2BPeMLpxJDWubVbwyA%40mail.gmail.com?utm_medium=email_source=footer>
>>> .
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-users...@googlegroups.com.
>>
> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-users/CANTsAyc%3D%3DBLN7a0_c8rYd%3DsLHyWq78CHxAQr6Sa_PMcqtP7Cwg%40mail.gmail.com
>>  
>> <https://groups.google.com/d/msgid/django-users/CANTsAyc%3D%3DBLN7a0_c8rYd%3DsLHyWq78CHxAQr6Sa_PMcqtP7Cwg%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/11d60767-06d3-4d4c-8435-10151e5726cdn%40googlegroups.com.

Re: Environment Variables for Django Secret Key etc On Windows 10 and Heroku

[dum dum]

Yes, I've seen so many tutorials. I did the same thing, and didn't work.
I believe there is something wrong with my Django Project. I don't know
what it is.
Still tinkering.


On Sat, Sep 12, 2020 at 9:38 PM Mbah Victor 
wrote:

> Have you try googling your problem
>
> Victor
>
> On Sat, Sep 12, 2020, 9:34 AM dum dum  wrote:
>
>> I tried to put my Django Secret Key in Environment Variables.
>>
>> SECRET_KEY = os.environ.get('SECRET_KEY')
>>
>> I did save the SECRET_KEY on env var windows 10 like this
>> [image: image.png]
>>
>>
>> When I tried to py manage.py runserver, I got this error
>>
>> django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not 
>> be empty.
>>
>> I followed this
>>
>> https://stackoverflow.com/questions/19681102/my-django-secret-key-is-in-an-environment-variable-but-i-cant-do-syncdb
>>
>> But no idea with the solution..
>>
>> At this point, strange thing even occurred, I tried to py manage.py
>> without any SECRET_KEY on my Env Var on windows 10, and just leaving
>>   SECRET_KEY = os.environ.get('SECRET_KEY')
>> in my settings.py.
>>
>> I got no error.
>>
>> Strange.. But when I deployed it on heroku, it says the same error like
>> this
>> django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must
>> not be empty.
>>
>> Is anyone here experienced the same stuck like me? Please kindly advise.
>> Thanks
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/CANV3w%3DYdb3SuiC7KYrkN4bfieQx-fQxhm%2BPeMLpxJDWubVbwyA%40mail.gmail.com
>> <https://groups.google.com/d/msgid/django-users/CANV3w%3DYdb3SuiC7KYrkN4bfieQx-fQxhm%2BPeMLpxJDWubVbwyA%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CANTsAyc%3D%3DBLN7a0_c8rYd%3DsLHyWq78CHxAQr6Sa_PMcqtP7Cwg%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CANTsAyc%3D%3DBLN7a0_c8rYd%3DsLHyWq78CHxAQr6Sa_PMcqtP7Cwg%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CANV3w%3DYKsvpwWKd9co2TYWgv3jYcQmhSV3A_L9%3DZVFiT65L6Zw%40mail.gmail.com.

Re: Environment Variables for Django Secret Key etc On Windows 10 and Heroku

[Mbah Victor]

Have you try googling your problem

Victor

On Sat, Sep 12, 2020, 9:34 AM dum dum  wrote:

> I tried to put my Django Secret Key in Environment Variables.
>
> SECRET_KEY = os.environ.get('SECRET_KEY')
>
> I did save the SECRET_KEY on env var windows 10 like this
> [image: image.png]
>
>
> When I tried to py manage.py runserver, I got this error
>
> django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not 
> be empty.
>
> I followed this
>
> https://stackoverflow.com/questions/19681102/my-django-secret-key-is-in-an-environment-variable-but-i-cant-do-syncdb
>
> But no idea with the solution..
>
> At this point, strange thing even occurred, I tried to py manage.py
> without any SECRET_KEY on my Env Var on windows 10, and just leaving
>   SECRET_KEY = os.environ.get('SECRET_KEY')
> in my settings.py.
>
> I got no error.
>
> Strange.. But when I deployed it on heroku, it says the same error like
> this
> django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must
> not be empty.
>
> Is anyone here experienced the same stuck like me? Please kindly advise.
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CANV3w%3DYdb3SuiC7KYrkN4bfieQx-fQxhm%2BPeMLpxJDWubVbwyA%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CANV3w%3DYdb3SuiC7KYrkN4bfieQx-fQxhm%2BPeMLpxJDWubVbwyA%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CANTsAyc%3D%3DBLN7a0_c8rYd%3DsLHyWq78CHxAQr6Sa_PMcqtP7Cwg%40mail.gmail.com.

Environment Variables for Django Secret Key etc On Windows 10 and Heroku

[dum dum]

I tried to put my Django Secret Key in Environment Variables.

SECRET_KEY = os.environ.get('SECRET_KEY')

I did save the SECRET_KEY on env var windows 10 like this
[image: image.png]


When I tried to py manage.py runserver, I got this error

django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting
must not be empty.

I followed this
https://stackoverflow.com/questions/19681102/my-django-secret-key-is-in-an-environment-variable-but-i-cant-do-syncdb

But no idea with the solution..

At this point, strange thing even occurred, I tried to py manage.py without
any SECRET_KEY on my Env Var on windows 10, and just leaving
  SECRET_KEY = os.environ.get('SECRET_KEY')
in my settings.py.

I got no error.

Strange.. But when I deployed it on heroku, it says the same error like
this
django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not
be empty.

Is anyone here experienced the same stuck like me? Please kindly advise.
Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CANV3w%3DYdb3SuiC7KYrkN4bfieQx-fQxhm%2BPeMLpxJDWubVbwyA%40mail.gmail.com.

Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

[Motaz Hejaze]

This discussion was very helpful

On Sat, 8 Feb 2020, 2:10 pm onlinejudge95,  wrote:

> +1 for the same
>
> On Thu, Jan 30, 2020, 8:17 PM Chris Wedgwood  wrote:
>
>> Hi Tom
>>
>> You are definitely not overthinking this. it's important.
>>
>> This is an area that has baked my noodle for a while now and I always am
>> left wondering "Do I have this right?" "Am I vulnerable to attack?" .
>> and I still haven't figured it out completely. It's like static files  I
>> never really feeel like I get it entirely :)
>>
>> Firstly you should never need to store a password/token/secret in Source
>> Control ever. If you are stop and think there must be a better way.
>>
>> I use environment variables .env to store my secrets but the trick is
>> ALWAYS put that in your .gitignore  file. If you start a new git repository
>> there is an option to create a .gitignore file
>> for Python that is a great starting point.
>>
>> To complement my *.env* file it has a .env.example file that I DO put in
>> source control with a dummy password.
>>
>> .env file:
>>
>> MAILGUN_API_KEY =asjdhasds78dy9s8dy012287e210eu209e72
>>
>> .env.example:
>>
>> MAILGUN_API_KEY=ThisIsNotARealToken
>>
>> So when I do local development  I can populate my .env fie with local dev
>> secrets.
>>
>> For production deployments, I use *Ansible *for which I provide
>> production tokens and secrets in a separate file also not in source control.
>>
>> The Ansible deployment requires an ssh password that I store in a
>> Password Manager that has two-factor authentication.
>>
>> The docker-compose file can read environment variables from the .env file.
>>
>> Have a look at Django-Cookiecutter and see how they do it. That helped me
>> a lot when I started out
>>
>> cheers
>> Chris
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thursday, 30 January 2020 12:41:01 UTC, Tom Moore wrote:
>>>
>>> Hi there, I'm following the guidelines by making sure the environment
>>> variables are stored outside of the settings.py files.
>>>
>>> The project is "dockerised" and so the environment variables have been
>>> stored in files *docker-compose.yml* and *docker-compose-prod.yml*.
>>>
>>> This includes things like the project's secret key, API keys, and
>>> database passwords.
>>>
>>> *My question is: *
>>> • Just because environment variables are stored in .yml files, won't
>>> they be equally insecure the moment I commit the project folder to a git
>>> repo (and especially if I push that repo to GitHub)?
>>> e.g. the Secret Key will forevermore be stored in the git repo (in
>>> earlier versions, even if I later move it to another file in subsequent
>>> commits).
>>>
>>> Is there an even more secure way of storing environment variables? Or am
>>> I overthinking it (as I'm the only developer and the GitHub repo is set to
>>> Private)?
>>>
>>> Many thanks in advance for your help.
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com
>> <https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAD%3DM5eTLPJKDendsP9DvYzi_bDXhOYFZgNG5ZEBsLg7bknGO2g%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-users/CAD%3DM5eTLPJKDendsP9DvYzi_bDXhOYFZgNG5ZEBsLg7bknGO2g%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHV4E-eypvq1%3DuA%2B8K_mube6nii4%3DiNxm1_%3D7%3DhoVVgiOGYc9w%40mail.gmail.com.

Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

[onlinejudge95]

+1 for the same

On Thu, Jan 30, 2020, 8:17 PM Chris Wedgwood  wrote:

> Hi Tom
>
> You are definitely not overthinking this. it's important.
>
> This is an area that has baked my noodle for a while now and I always am
> left wondering "Do I have this right?" "Am I vulnerable to attack?" .
> and I still haven't figured it out completely. It's like static files  I
> never really feeel like I get it entirely :)
>
> Firstly you should never need to store a password/token/secret in Source
> Control ever. If you are stop and think there must be a better way.
>
> I use environment variables .env to store my secrets but the trick is
> ALWAYS put that in your .gitignore  file. If you start a new git repository
> there is an option to create a .gitignore file
> for Python that is a great starting point.
>
> To complement my *.env* file it has a .env.example file that I DO put in
> source control with a dummy password.
>
> .env file:
>
> MAILGUN_API_KEY =asjdhasds78dy9s8dy012287e210eu209e72
>
> .env.example:
>
> MAILGUN_API_KEY=ThisIsNotARealToken
>
> So when I do local development  I can populate my .env fie with local dev
> secrets.
>
> For production deployments, I use *Ansible *for which I provide
> production tokens and secrets in a separate file also not in source control.
>
> The Ansible deployment requires an ssh password that I store in a Password
> Manager that has two-factor authentication.
>
> The docker-compose file can read environment variables from the .env file.
>
> Have a look at Django-Cookiecutter and see how they do it. That helped me
> a lot when I started out
>
> cheers
> Chris
>
>
>
>
>
>
>
>
>
>
>
> On Thursday, 30 January 2020 12:41:01 UTC, Tom Moore wrote:
>>
>> Hi there, I'm following the guidelines by making sure the environment
>> variables are stored outside of the settings.py files.
>>
>> The project is "dockerised" and so the environment variables have been
>> stored in files *docker-compose.yml* and *docker-compose-prod.yml*.
>>
>> This includes things like the project's secret key, API keys, and
>> database passwords.
>>
>> *My question is: *
>> • Just because environment variables are stored in .yml files, won't they
>> be equally insecure the moment I commit the project folder to a git repo
>> (and especially if I push that repo to GitHub)?
>> e.g. the Secret Key will forevermore be stored in the git repo (in
>> earlier versions, even if I later move it to another file in subsequent
>> commits).
>>
>> Is there an even more secure way of storing environment variables? Or am
>> I overthinking it (as I'm the only developer and the GitHub repo is set to
>> Private)?
>>
>> Many thanks in advance for your help.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAD%3DM5eTLPJKDendsP9DvYzi_bDXhOYFZgNG5ZEBsLg7bknGO2g%40mail.gmail.com.

Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

[Tom Moore]

Thanks everyone for responding to this question. Nice to know (in a way) 
that I'm not overthinking it.. although now I'm worried about all the 
different ways a key could be compromised.

Your suggestions for separating out a .env file and using gitignore is 
really helpful.

Tom

On Thursday, January 30, 2020 at 8:01:59 PM UTC, Michael Rohan wrote:
>
> Hi,
>
> Just fyi, it was, in part, to solve this problem that I implemented the 
> django-yamlconf module:
>
> https://django-yamlconf.readthedocs.io/en/latest/
>
> While getting the data into either a private yaml file or env variable in 
> the container isn't addressed, it does allow injecting the values into the 
> Django app without modifying the committed sources.
>
> Take care,
> Michael.
>
> On Thu, Jan 30, 2020 at 6:46 AM Chris Wedgwood  > wrote:
>
>> Hi Tom
>>
>> You are definitely not overthinking this. it's important.
>>
>> This is an area that has baked my noodle for a while now and I always am 
>> left wondering "Do I have this right?" "Am I vulnerable to attack?" . 
>> and I still haven't figured it out completely. It's like static files  I 
>> never really feeel like I get it entirely :)
>>
>> Firstly you should never need to store a password/token/secret in Source 
>> Control ever. If you are stop and think there must be a better way.
>>
>> I use environment variables .env to store my secrets but the trick is 
>> ALWAYS put that in your .gitignore  file. If you start a new git repository 
>> there is an option to create a .gitignore file 
>> for Python that is a great starting point.
>>
>> To complement my *.env* file it has a .env.example file that I DO put in 
>> source control with a dummy password.
>>
>> .env file:
>>
>> MAILGUN_API_KEY =asjdhasds78dy9s8dy012287e210eu209e72
>>
>> .env.example:
>>
>> MAILGUN_API_KEY=ThisIsNotARealToken
>>
>> So when I do local development  I can populate my .env fie with local dev 
>> secrets.
>>
>> For production deployments, I use *Ansible *for which I provide 
>> production tokens and secrets in a separate file also not in source control.
>>
>> The Ansible deployment requires an ssh password that I store in a 
>> Password Manager that has two-factor authentication.
>>
>> The docker-compose file can read environment variables from the .env file.
>>
>> Have a look at Django-Cookiecutter and see how they do it. That helped me 
>> a lot when I started out
>>
>> cheers
>> Chris
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thursday, 30 January 2020 12:41:01 UTC, Tom Moore wrote:
>>>
>>> Hi there, I'm following the guidelines by making sure the environment 
>>> variables are stored outside of the settings.py files.
>>>
>>> The project is "dockerised" and so the environment variables have been 
>>> stored in files *docker-compose.yml* and *docker-compose-prod.yml*.
>>>
>>> This includes things like the project's secret key, API keys, and 
>>> database passwords.
>>>
>>> *My question is: *
>>> • Just because environment variables are stored in .yml files, won't 
>>> they be equally insecure the moment I commit the project folder to a git 
>>> repo (and especially if I push that repo to GitHub)?
>>> e.g. the Secret Key will forevermore be stored in the git repo (in 
>>> earlier versions, even if I later move it to another file in subsequent 
>>> commits).
>>>
>>> Is there an even more secure way of storing environment variables? Or am 
>>> I overthinking it (as I'm the only developer and the GitHub repo is set to 
>>> Private)?
>>>
>>> Many thanks in advance for your help.
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
>
>
> -- 
> Michael Rohan
> mro...@acm.org 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/e54a3ad3-1df3-49aa-8ae0-7378f3c91ace%40googlegroups.com.

Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

[Mike Dewhirst]

On 1/02/2020 2:24 am, Bill Torcaso wrote:


A couple of years ago I posted on this topic to say that using ENV 
variables is dangerously subject to human error.  If it ever happens 
that (1) you put a server on the public internet with DEBUG on, and 
(2) a visitor can provoke a 5xx server error response, then all of 
your secrets will be dumped in the stack-trace output.


(Yes, I know people will say "don't do that" regarding point #1, and 
similarly say "never publish code with a possible 500 error event".  
But if it ever happens, you are screwed.  And you won't necessarily 
know that it happened.)


In general, if your secrets are kept in plaintext in your github 
repository and your repository gets compromised, then you have lost 
everything.


I agree with all that. I hadn't considered the DEBUG gotcha but now you 
mention it nothing is more certain. If it can go wrong it will. Don't 
know whose law that is but I respect it. I always look at the worst case 
and assume it will happen.


Please correct me if my assumptions are wrong but if the server itself 
is compromised it doesn't matter about the secrets.


If I have access to the machine I could examine the code and find the 
api which decrypts secrets and then write a script to fetch and decrypt 
any secret. But why would I bother if I have already pwned the machine?


A real problem is spreading secrets around a multi-person dev team and 
needing to change them all whenever a team member leaves.


Keeping them in editable text files in a standardised location for each 
project lets the secrets be kept and easily updated by the minimum 
number of people. Developers obviously know the standard location but 
might require sudo to see them. That would be fine on their own machines 
where their secrets can be mostly different than server secrets.


The layout of each secret in its own file named appropriately (eg., 
django_secret_staging.txt, django_secret_dev.txt, django_secret_prd.txt 
etc) would permit the server software to retrieve the secret when 
required using a simple method which works on all machines. I call mine 
get_creds() and that lets me have different secrets between staging and 
production. Compromising one machine doesn't undermine the other.


I think you are on the right track by keeping secrets in text files. I 
just think encrypting them is a step too far.


Cheers

Mike



I've tried to think of a way to store the secrets in a plaintext file 
and encrypt the file's contents before committing the ciphertext file 
to the repository.  The question, as always, is where to store they 
key for decrypting the secrets file.


I have an idea in which the encryption key is manufactured on the fly 
from some non-obvious fact about the repository contents.  I'd like to 
get feedback from the Django community about it.


Summary:

  * Put all secret info in a text file, but encrypt the file before it
gets committed into the repository.

  * *Use an encryption key that is derived from some fact about the
files in the repository.*

  * At runtime, use that same fact to derive the decryption key for
the secrets file.

  * Ensure that the runtime server can never reveal the fact that is
the basis of the encryption key.


Suppose for example that the encryption key is the SHA-1 hash value of 
urls.py.  This is calculated during the release process, and used to 
encrypt the plaintext secrets file.  Then the encrypted secrets file 
is committed to the repository, and ultimately gets deployed to 
production.


urls.py obviously changes over time.  But it is constant for any given 
commit of the entire codebase, which is what gets deployed.


At start-up time, the Django server can open urls.py and hash the 
contents, and use that hash value to decrypt the contents of the 
secrets file.  As a result, the secrets are available at runtime, but 
they are never stored in a plaintext file.


Why is this secure?  It relies on two assumptions.

 1. Ensure that the contents of urls.py will never be published as
part of an HTTPResponse.

When this is true, the runtime server cannot reveal the decryption
key for the encrypted secrets file.  That is to say, do not write
a management command with name "getthesecretdecryptionkey".

 2. Using security-through-obscurity, do not always use the same file
(urls.py) as the basis of the hash value. Instead, use some
obscure selection criteria like "the seventh-largest .PY source
file in the tree; in case of a tie, use the alphabetically last file".

Similarly, do not always use the same hash method; instead, select
a hash method from a list like [ "SHA-1, SHA-256, "MD5", ] by
taking the size of urls.py modulo the length of that list.

I look forward to hearing comments about this approach.

Bill Torcaso
--
You received this message because you are subscribed to the Google 
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails 

Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

[Bill Torcaso]

A couple of years ago I posted on this topic to say that using ENV 
variables is dangerously subject to human error.  If it ever happens that 
(1) you put a server on the public internet with DEBUG on, and (2) a 
visitor can provoke a 5xx server error response, then all of your secrets 
will be dumped in the stack-trace output.

(Yes, I know people will say "don't do that" regarding point #1, and 
similarly say "never publish code with a possible 500 error event".  But if 
it ever happens, you are screwed.  And you won't necessarily know that it 
happened.)

In general, if your secrets are kept in plaintext in your github repository 
and your repository gets compromised, then you have lost everything.

I've tried to think of a way to store the secrets in a plaintext file and 
encrypt the file's contents before committing the ciphertext file to the 
repository.  The question, as always, is where to store they key for 
decrypting the secrets file.

I have an idea in which the encryption key is manufactured on the fly from 
some non-obvious fact about the repository contents.  I'd like to get 
feedback from the Django community about it.

Summary:

   - Put all secret info in a text file, but encrypt the file before it 
   gets committed into the repository.
   
   - *Use an encryption key that is derived from some fact about the files 
   in the repository.*
   
   - At runtime, use that same fact to derive the decryption key for the 
   secrets file.
   
   - Ensure that the runtime server can never reveal the fact that is the 
   basis of the encryption key.


Suppose for example that the encryption key is the SHA-1 hash value of 
urls.py.  This is calculated during the release process, and used to 
encrypt the plaintext secrets file.  Then the encrypted secrets file is 
committed to the repository, and ultimately gets deployed to production.

urls.py obviously changes over time.  But it is constant for any given 
commit of the entire codebase, which is what gets deployed. 

At start-up time, the Django server can open urls.py and hash the contents, 
and use that hash value to decrypt the contents of the secrets file.  As a 
result, the secrets are available at runtime, but they are never stored in 
a plaintext file.

Why is this secure?  It relies on two assumptions.

   1. Ensure that the contents of urls.py will never be published as part 
   of an HTTPResponse.
   
   When this is true, the runtime server cannot reveal the decryption key 
   for the encrypted secrets file.  That is to say, do not write a management 
   command with name "getthesecretdecryptionkey".
   
   2. Using security-through-obscurity, do not always use the same file 
   (urls.py) as the basis of the hash value.  Instead, use some obscure 
   selection criteria like "the seventh-largest .PY source file in the tree; 
   in case of a tie, use the alphabetically last file".
   
   Similarly, do not always use the same hash method; instead, select a 
   hash method from a list like [ "SHA-1, SHA-256, "MD5", ] by taking the size 
   of urls.py modulo the length of that list.

I look forward to hearing comments about this approach.

Bill Torcaso

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/91ae856c-8408-44c6-893d-12e1189a418d%40googlegroups.com.

Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

[Michael Rohan]

Hi,

Just fyi, it was, in part, to solve this problem that I implemented the
django-yamlconf module:

https://django-yamlconf.readthedocs.io/en/latest/

While getting the data into either a private yaml file or env variable in
the container isn't addressed, it does allow injecting the values into the
Django app without modifying the committed sources.

Take care,
Michael.

On Thu, Jan 30, 2020 at 6:46 AM Chris Wedgwood  wrote:

> Hi Tom
>
> You are definitely not overthinking this. it's important.
>
> This is an area that has baked my noodle for a while now and I always am
> left wondering "Do I have this right?" "Am I vulnerable to attack?" .
> and I still haven't figured it out completely. It's like static files  I
> never really feeel like I get it entirely :)
>
> Firstly you should never need to store a password/token/secret in Source
> Control ever. If you are stop and think there must be a better way.
>
> I use environment variables .env to store my secrets but the trick is
> ALWAYS put that in your .gitignore  file. If you start a new git repository
> there is an option to create a .gitignore file
> for Python that is a great starting point.
>
> To complement my *.env* file it has a .env.example file that I DO put in
> source control with a dummy password.
>
> .env file:
>
> MAILGUN_API_KEY =asjdhasds78dy9s8dy012287e210eu209e72
>
> .env.example:
>
> MAILGUN_API_KEY=ThisIsNotARealToken
>
> So when I do local development  I can populate my .env fie with local dev
> secrets.
>
> For production deployments, I use *Ansible *for which I provide
> production tokens and secrets in a separate file also not in source control.
>
> The Ansible deployment requires an ssh password that I store in a Password
> Manager that has two-factor authentication.
>
> The docker-compose file can read environment variables from the .env file.
>
> Have a look at Django-Cookiecutter and see how they do it. That helped me
> a lot when I started out
>
> cheers
> Chris
>
>
>
>
>
>
>
>
>
>
>
> On Thursday, 30 January 2020 12:41:01 UTC, Tom Moore wrote:
>>
>> Hi there, I'm following the guidelines by making sure the environment
>> variables are stored outside of the settings.py files.
>>
>> The project is "dockerised" and so the environment variables have been
>> stored in files *docker-compose.yml* and *docker-compose-prod.yml*.
>>
>> This includes things like the project's secret key, API keys, and
>> database passwords.
>>
>> *My question is: *
>> • Just because environment variables are stored in .yml files, won't they
>> be equally insecure the moment I commit the project folder to a git repo
>> (and especially if I push that repo to GitHub)?
>> e.g. the Secret Key will forevermore be stored in the git repo (in
>> earlier versions, even if I later move it to another file in subsequent
>> commits).
>>
>> Is there an even more secure way of storing environment variables? Or am
>> I overthinking it (as I'm the only developer and the GitHub repo is set to
>> Private)?
>>
>> Many thanks in advance for your help.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com?utm_medium=email_source=footer>
> .
>


-- 
Michael Rohan
mro...@acm.org

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAOCsNFhLqucCRWb%3DbsneUdKVuWkNqQR%3DKL_P3zVXAAthzDxAPw%40mail.gmail.com.

Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

[Chris Wedgwood]

Hi Tom

You are definitely not overthinking this. it's important.

This is an area that has baked my noodle for a while now and I always am 
left wondering "Do I have this right?" "Am I vulnerable to attack?" . 
and I still haven't figured it out completely. It's like static files  I 
never really feeel like I get it entirely :)

Firstly you should never need to store a password/token/secret in Source 
Control ever. If you are stop and think there must be a better way.

I use environment variables .env to store my secrets but the trick is 
ALWAYS put that in your .gitignore  file. If you start a new git repository 
there is an option to create a .gitignore file 
for Python that is a great starting point.

To complement my *.env* file it has a .env.example file that I DO put in 
source control with a dummy password.

.env file:

MAILGUN_API_KEY =asjdhasds78dy9s8dy012287e210eu209e72

.env.example:

MAILGUN_API_KEY=ThisIsNotARealToken

So when I do local development  I can populate my .env fie with local dev 
secrets.

For production deployments, I use *Ansible *for which I provide production 
tokens and secrets in a separate file also not in source control.

The Ansible deployment requires an ssh password that I store in a Password 
Manager that has two-factor authentication.

The docker-compose file can read environment variables from the .env file.

Have a look at Django-Cookiecutter and see how they do it. That helped me a 
lot when I started out

cheers
Chris











On Thursday, 30 January 2020 12:41:01 UTC, Tom Moore wrote:
>
> Hi there, I'm following the guidelines by making sure the environment 
> variables are stored outside of the settings.py files.
>
> The project is "dockerised" and so the environment variables have been 
> stored in files *docker-compose.yml* and *docker-compose-prod.yml*.
>
> This includes things like the project's secret key, API keys, and database 
> passwords.
>
> *My question is: *
> • Just because environment variables are stored in .yml files, won't they 
> be equally insecure the moment I commit the project folder to a git repo 
> (and especially if I push that repo to GitHub)?
> e.g. the Secret Key will forevermore be stored in the git repo (in earlier 
> versions, even if I later move it to another file in subsequent commits).
>
> Is there an even more secure way of storing environment variables? Or am I 
> overthinking it (as I'm the only developer and the GitHub repo is set to 
> Private)?
>
> Many thanks in advance for your help.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com.

Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

[Shaheed Haque]

I don't think you are overthinking this.

On Thu, 30 Jan 2020, 12:40 Tom Moore,  wrote:

> Hi there, I'm following the guidelines by making sure the environment
> variables are stored outside of the settings.py files.
>
> The project is "dockerised" and so the environment variables have been
> stored in files *docker-compose.yml* and *docker-compose-prod.yml*.
>

What we do isn't perfect but does limit our exposure:

- we don't store the production key(s) in git at all.
- instead, we fetch them at deployment time using a secure connection to
the store, and then inject them into our runtime (we are still in a vm)

The secure connection is the less than ideal part, since we require a human
to provide the private key. In theory, we can replace that with automation
at the cost of a short insecure connection (or some other complex key
management). But we can change that at will as our scale needs evolve.




> This includes things like the project's secret key, API keys, and database
> passwords.
>
> *My question is: *
> • Just because environment variables are stored in .yml files, won't they
> be equally insecure the moment I commit the project folder to a git repo
> (and especially if I push that repo to GitHub)?
> e.g. the Secret Key will forevermore be stored in the git repo (in earlier
> versions, even if I later move it to another file in subsequent commits).
>
> Is there an even more secure way of storing environment variables? Or am I
> overthinking it (as I'm the only developer and the GitHub repo is set to
> Private)?
>
> Many thanks in advance for your help.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/887bcd5b-4525-4a54-a4e5-5eae32b20041%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/887bcd5b-4525-4a54-a4e5-5eae32b20041%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHAc2jdrdbroRUxFEtfiia7H0bGvuuWkEjg9XP2COumNqXk3kw%40mail.gmail.com.

How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

[Tom Moore]

Hi there, I'm following the guidelines by making sure the environment 
variables are stored outside of the settings.py files.

The project is "dockerised" and so the environment variables have been 
stored in files *docker-compose.yml* and *docker-compose-prod.yml*.

This includes things like the project's secret key, API keys, and database 
passwords.

*My question is: *
• Just because environment variables are stored in .yml files, won't they 
be equally insecure the moment I commit the project folder to a git repo 
(and especially if I push that repo to GitHub)?
e.g. the Secret Key will forevermore be stored in the git repo (in earlier 
versions, even if I later move it to another file in subsequent commits).

Is there an even more secure way of storing environment variables? Or am I 
overthinking it (as I'm the only developer and the GitHub repo is set to 
Private)?

Many thanks in advance for your help.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/887bcd5b-4525-4a54-a4e5-5eae32b20041%40googlegroups.com.

Re: Django Login Secret key

[Jani Tiainen]

Oh you want to have false security.

First this has nothing to do with Django and it's secret key. You can use
any secret key in your case it would be user input. Also you can use any
cryptography algorithm to secure your data in the database.

And here is the problem - to make user experience pleasant you have to
store this secret key somewhere unless you want to have user input secret
key every time you read and write to database. Not just in login.

Because you store the key it does exist somewhere. And if attacker already
got to your settings.py it pretty much means that attacker sees your code
and can read the key. And you lost the game.

ke 10. heinäk. 2019 klo 9.54 Sebastian Jung 
kirjoitti:

> I encrypt several fields in Database. Now it's possible that a Hacker get
> Database and settings.py. i want Maximum Security and i think when User at
> Login Page Input Secret Key that ist optimal. Also i want AS SaaS No Access
> to Data in database because Data ist high Security.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/2e15e2f0-0400-4158-a4ec-69e06e65bbc2%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHn91odgLvs8u%3DK%2BaFXhWNgc4OYTLyNjst0YcGXWETV%3DjRgjCw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django Login Secret key

[Sebastian Jung]

I encrypt several fields in Database. Now it's possible that a Hacker get 
Database and settings.py. i want Maximum Security and i think when User at 
Login Page Input Secret Key that ist optimal. Also i want AS SaaS No Access to 
Data in database because Data ist high Security.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/2e15e2f0-0400-4158-a4ec-69e06e65bbc2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django Login Secret key

[Jani Tiainen]

Hi.

What are you trying to do?

In other words why do you need to replace secret key by user input at login?


ke 10. heinäk. 2019 klo 8.54 Sebastian Jung 
kirjoitti:

> Hello,
>
> I want in my Login Page a further field Secret Key. This Input ist
> replacement dir Secret Key in settings.py. Ist this possible? Can someone
> explain me how?
>
> Regards
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/d8ec843c-0de4-4e20-b264-7fd45d455777%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHn91oew_0H-5hMO0hM2EdvXN1rx6i4kwC55W9cQwWKsu5TZbg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Django Login Secret key

[Sebastian Jung]

Hello,

I want in my Login Page a further field Secret Key. This Input ist replacement 
dir Secret Key in settings.py. Ist this possible? Can someone explain me how?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/d8ec843c-0de4-4e20-b264-7fd45d455777%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: What happens when secret key is lost?

[Tim Chase]

On 2014-05-21 16:44, Erik Romijn wrote:
> > Could you elaborate on how such remote-code execution would
> > happen?  
> 
> If you use Django's cookie-based sessions[1], knowledge of the
> SECRET_KEY allows an attacker to forge a cookie with session data.
> Forging sessions is bad enough, but if you combine this with
> PickleSerializer[2], that escalates to remote code execution:
> pickle is flexible but also unsafe: it's fairly simple to fabricate
> data that, when unpickled, executes particular Python code. This is
> why one must never unpickle data from an untrusted source.

I know not to (and don't) use Pickle for that reason, but if Django is
using it and trusting the SECRET_KEY to protect it, that makes perfect
sense. Thanks!

-tkc



-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/20140521120129.091f9cfd%40bigbox.christie.dr.
For more options, visit https://groups.google.com/d/optout.

Re: What happens when secret key is lost?

[Erik Romijn]

On 20 May 2014, at 22:27, Tim Chase <django.us...@tim.thechases.com> wrote:
>> And yes, it is very important to keep it secret. The worst case
>> scenario for secret key leakage, in particular configurations, is
>> arbitrary remote code execution.
> 
> Could you elaborate on how such remote-code execution would happen?

If you use Django's cookie-based sessions[1], knowledge of the SECRET_KEY 
allows an attacker to forge a cookie with session data. Forging sessions is bad 
enough, but if you combine this with PickleSerializer[2], that escalates to 
remote code execution: pickle is flexible but also unsafe: it's fairly simple 
to fabricate data that, when unpickled, executes particular Python code. This 
is why one must never unpickle data from an untrusted source.

PickleSerializer was the only option in Django<1.5, default option in Django 
1.6, and non-default option in Django 1.7+, for this reason. As far as I know, 
cookie-backed sessions have never been the default in Django.

See my blog[3] for a more extensive description and a proof of concept based on 
Flask.

On 21 May 2014, at 16:03, Henning Sprang <henning.spr...@gmail.com> wrote:
> As of the location where to document it, I stumbled about it in the
> "deployment checklist" part of the docs, there was only said it's
> important to keep it secret while those further questions kept
> unanswered - so when adding more info, you might also put a link on
> the deployment pages when working on it anyway.

Thanks for the suggestion, that would be useful indeed.

cheers,
Erik

[1] 
https://docs.djangoproject.com/en/1.6/topics/http/sessions/#using-cookie-based-sessions
[2] 
https://docs.djangoproject.com/en/1.6/topics/http/sessions/#session-serialization
[3] 
http://erik.io/blog/2013/04/26/proof-of-concept-arbitrary-remote-code-execution-pickle-sessions/

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/652F9C27-15F3-48BC-930E-E0E5EA766A25%40solidlinks.nl.
For more options, visit https://groups.google.com/d/optout.

Re: What happens when secret key is lost?

[Henning Sprang]

Hi Erik,

On Tue, May 20, 2014 at 8:34 PM, Erik Romijn  wrote:
> ...
> If it were used for that, that would indeed be the scenario. Fortunately, 
> it's not.

Good to know :)

> There is a current ticket open on documenting exactly this question: 
> https://code.djangoproject.com/ticket/22310. I'd worked through most of it 
> but somehow lost my changes.

Thanks for your explanations - they help a lot!
As of the location where to document it, I stumbled about it in the
"deployment checklist" part of the docs, there was only said it's
important to keep it secret while those further questions kept
unanswered - so when adding more info, you might also put a link on
the deployment pages when working on it anyway.

Let me know if you need help, e.g. proof-reading through what you will
put in the docs.

Thanks,
Henning



-- 
Henning Sprang
http://www.sprang.de

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAB10%2BLshtW0XfykqR5nUQ_ir-OwkCtdR2TKfox2e3PSR1Hf_qQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: What happens when secret key is lost?

[Erik Cederstrand]

Den 20/05/2014 kl. 20.40 skrev Henning Sprang :

> Also, if it should be kept secret, I guess it's safe to assume that
> using an online generator like
> https://djskgen.herokuapp.com/ is not the smartest idea one can come
> up with, right?

You can use any random string, but you could also install django_extensions and 
do:

./manage.py generate_secret_key

Erik

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/3BDD0ED7-0FCC-41CE-AF0C-DE558AB9E024%40cederstrand.dk.
For more options, visit https://groups.google.com/d/optout.

Re: What happens when secret key is lost?

[Tim Chase]

On 2014-05-20 21:34, Erik Romijn wrote:
> > The question is, what happens when I lose it - when it's used for
> > password hash salt, doesn't that mean if it's lost, all users
> > have to reset their password, don't they?  
> 
> If it were used for that, that would indeed be the scenario.
> Fortunately, it's not.
> 
> There is a current ticket open on documenting exactly this
> question: https://code.djangoproject.com/ticket/22310. I'd worked
> through most of it but somehow lost my changes.
> 
> From memory, and without review by a second pair of eyes, I believe
> the effects are limited to:
> - All currently existing sessions are invalidated.
> - All password reset tokens are invalidated.
> - All form previews in progress require an additional confirmation.
> - All form wizards in progress are reset, and if using the cookie
> backend for form wizards, this may lead to exceptions.
> 
> Also, any third party packages or any of your own code that uses
> the secret key may be affected. Notably not affected (in Django
> itself) are user passwords, and general content in the database.

Thanks for the concise summary.  I've researched this on my own in
the past enough to know that passwords weren't impacted, and session
tokens were invalid, but the others didn't register to me when I
grepped the code-base.

> And yes, it is very important to keep it secret. The worst case
> scenario for secret key leakage, in particular configurations, is
> arbitrary remote code execution.

Could you elaborate on how such remote-code execution would happen?

Thanks,

-Tim




-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/20140520152727.754c92c2%40bigbox.christie.dr.
For more options, visit https://groups.google.com/d/optout.

Re: What happens when secret key is lost?

[Erik Romijn]

Hello Henning,

On 20 May 2014, at 20:40, Henning Sprang <henning.spr...@gmail.com> wrote:
> The question is, what happens when I lose it - when it's used for
> password hash salt, doesn't that mean if it's lost, all users have to
> reset their password, don't they?

If it were used for that, that would indeed be the scenario. Fortunately, it's 
not.

There is a current ticket open on documenting exactly this question: 
https://code.djangoproject.com/ticket/22310. I'd worked through most of it but 
somehow lost my changes.

>From memory, and without review by a second pair of eyes, I believe the 
>effects are limited to:
- All currently existing sessions are invalidated.
- All password reset tokens are invalidated.
- All form previews in progress require an additional confirmation.
- All form wizards in progress are reset, and if using the cookie backend for 
form wizards, this may lead to exceptions.

Also, any third party packages or any of your own code that uses the secret key 
may be affected. Notably not affected (in Django itself) are user passwords, 
and general content in the database.

> Also, if it should be kept secret, I guess it's safe to assume that
> using an online generator like
> https://djskgen.herokuapp.com/ is not the smartest idea one can come
> up with, right?

I would not recommend using such a service. Although it's probably not 
malicious, there is no reason to use this either. Remember also that the secret 
key has no particular format. Any random string, e.g. one that you may get from 
a password manager, can be used.

And yes, it is very important to keep it secret. The worst case scenario for 
secret key leakage, in particular configurations, is arbitrary remote code 
execution.

cheers,
Erik

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/85EEF3AC-9BEB-41F8-AD31-C6BF3D3FFFD7%40solidlinks.nl.
For more options, visit https://groups.google.com/d/optout.

What happens when secret key is lost?

[Henning Sprang]

Hi,

I developed quite a bit in Django already, but only now I am the first
time responsible for putting something into real production use.

So I work through the deployment checklist, and it says the secret key
must be kept super secret. One example shows how to set it as
environment variable.

The question is, what happens when I lose it - when it's used for
password hash salt, doesn't that mean if it's lost, all users have to
reset their password, don't they?

Also, if it should be kept secret, I guess it's safe to assume that
using an online generator like
https://djskgen.herokuapp.com/ is not the smartest idea one can come
up with, right?

Cheers and thanks in advance,
Henning

-- 
Henning Sprang
http://www.sprang.de

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAB10%2BLttXyVO8NRJ3S4jG82_c_cOK2po9EoQmRj1hbOA029q7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Get secret key from django settings

[Errfan Wadia]

Yes because it takes the settings instance using the lazysettings.


On Tue, Mar 25, 2014 at 10:06 PM, François Schiettecatte <
fschietteca...@gmail.com> wrote:

> 110-130 milliseconds to 'import' something, sounds very suspect to me.
>
> François
>
> On Mar 25, 2014, at 12:08 PM, Errfan Wadia 
> wrote:
>
> > Hi Daniel,
> >
> > When I try to get the SECRET_KEY from settings.py in one of the app, it
> takes around 110-130 millisec. Here I am talking about execution time.
> >
> > On Tuesday, 25 March 2014 18:31:01 UTC+5:30, Daniel Roseman wrote:
> > On Tuesday, 25 March 2014 06:36:53 UTC, Errfan Wadia wrote:
> > Hi,
> >
> > I am using from django.conf import settings
> > Is there any faster way to get the SECRET_KEY in one of my app from
> settings.py ?
> >
> > What do you mean, faster? In what way is that slow?
> > --
> > DR.
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Django users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users+unsubscr...@googlegroups.com.
> > To post to this group, send email to django-users@googlegroups.com.
> > Visit this group at http://groups.google.com/group/django-users.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/be8a456f-1f0e-47bd-9116-94ac54304b3d%40googlegroups.com
> .
> > For more options, visit https://groups.google.com/d/optout.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CABY3faf-OHZi%2BZGpwsJKGSjsC29og-8bfqLQSa6yD10R%2BZu8Jw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Get secret key from django settings

[François Schiettecatte]

110-130 milliseconds to 'import' something, sounds very suspect to me.

François

On Mar 25, 2014, at 12:08 PM, Errfan Wadia  wrote:

> Hi Daniel,
> 
> When I try to get the SECRET_KEY from settings.py in one of the app, it takes 
> around 110-130 millisec. Here I am talking about execution time.
> 
> On Tuesday, 25 March 2014 18:31:01 UTC+5:30, Daniel Roseman wrote:
> On Tuesday, 25 March 2014 06:36:53 UTC, Errfan Wadia wrote:
> Hi,
> 
> I am using from django.conf import settings
> Is there any faster way to get the SECRET_KEY in one of my app from 
> settings.py ?
> 
> What do you mean, faster? In what way is that slow?
> --
> DR. 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-users/be8a456f-1f0e-47bd-9116-94ac54304b3d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Get secret key from django settings

[Errfan Wadia]

Hi Daniel,

When I try to get the SECRET_KEY from settings.py in one of the app, it 
takes around 110-130 millisec. Here I am talking about execution time.

On Tuesday, 25 March 2014 18:31:01 UTC+5:30, Daniel Roseman wrote:
>
> On Tuesday, 25 March 2014 06:36:53 UTC, Errfan Wadia wrote:
>>
>> Hi,
>>
>> I am using from django.conf import settings
>> Is there any faster way to get the SECRET_KEY in one of my app from 
>> settings.py ?
>>
>
> What do you mean, faster? In what way is that slow?
> --
> DR. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/be8a456f-1f0e-47bd-9116-94ac54304b3d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Get secret key from django settings

[Errfan Wadia]

Hey Shai 

it worked, reduced the time to 10 millisec from 120 millisec.

On Tuesday, 25 March 2014 17:48:12 UTC+5:30, Shai Efrati wrote:
>
> Hi Errfan,
> You can get the SECRET_KEY through the environment variables. Just use:
>
> from os import environ
> SECRET_KEY = environ.get('SECRET_KEY')
>
> Good luck!
>
>
> Shai.
>
>
> On Tue, Mar 25, 2014 at 8:36 AM, Errfan Wadia 
>  > wrote:
>
>> Hi,
>>
>> I am using from django.conf import settings
>> Is there any faster way to get the SECRET_KEY in one of my app from 
>> settings.py ?
>>  
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-users...@googlegroups.com .
>> To post to this group, send email to django...@googlegroups.com
>> .
>> Visit this group at http://groups.google.com/group/django-users.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-users/255c4e5c-65ad-43bf-9be0-4760c35de785%40googlegroups.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/64bf5fdd-0196-4383-a6df-9836123a5a6a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Get secret key from django settings

[Daniel Roseman]

On Tuesday, 25 March 2014 06:36:53 UTC, Errfan Wadia wrote:
>
> Hi,
>
> I am using from django.conf import settings
> Is there any faster way to get the SECRET_KEY in one of my app from 
> settings.py ?
>

What do you mean, faster? In what way is that slow?
--
DR. 

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/40401cea-4b94-4a43-a2f8-a45d3f491e16%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Get secret key from django settings

[Shai Efrati]

Hi Errfan,
You can get the SECRET_KEY through the environment variables. Just use:

from os import environ
SECRET_KEY = environ.get('SECRET_KEY')

Good luck!


Shai.


On Tue, Mar 25, 2014 at 8:36 AM, Errfan Wadia wrote:

> Hi,
>
> I am using from django.conf import settings
> Is there any faster way to get the SECRET_KEY in one of my app from
> settings.py ?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/255c4e5c-65ad-43bf-9be0-4760c35de785%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CALr%3D9OW7iYCgZa5i5bx7nioCnPYPK1bQ2hwkwEM5cKC6Nsk4tA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Get secret key from django settings

[Errfan Wadia]

Hi,

I am using from django.conf import settings
Is there any faster way to get the SECRET_KEY in one of my app from 
settings.py ?

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/255c4e5c-65ad-43bf-9be0-4760c35de785%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: Re: Secret key

[Henrik Genssen]

the session e.g. depends on this key

regards

Hinnack

>reply to message:
>date: 09.03.2010 15:20:38
>from: "rebus_" <r.dav...@gmail.com>
>to: django-users@googlegroups.com
>subject: Re: Secret key
>
>On 9 March 2010 15:16, Joan Miller <pelok...@gmail.com> wrote:
>> For what is used the key `SECRET_KEY`?
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "Django users" group.
>> To post to this group, send email to django-us...@googlegroups.com.
>> To unsubscribe from this group, send email to 
>> django-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at 
>> http://groups.google.com/group/django-users?hl=en.
>>
>>
>
>A secret key for this particular Django installation. Used to provide
>a seed in secret-key hashing algorithms. Set this to a random string
>-- the longer, the better. django-admin.py startproject creates one
>automatically.
>
>http://docs.djangoproject.com/en/dev/ref/settings/#secret-key
>
>-- 
>You received this message because you are subscribed to the Google Groups 
>"Django users" group.
>To post to this group, send email to django-us...@googlegroups.com.
>To unsubscribe from this group, send email to 
>django-users+unsubscr...@googlegroups.com.
>For more options, visit this group at 
>http://groups.google.com/group/django-users?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Secret key

[rebus_]

On 9 March 2010 15:16, Joan Miller <pelok...@gmail.com> wrote:
> For what is used the key `SECRET_KEY`?
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Django users" group.
> To post to this group, send email to django-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> django-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/django-users?hl=en.
>
>

A secret key for this particular Django installation. Used to provide
a seed in secret-key hashing algorithms. Set this to a random string
-- the longer, the better. django-admin.py startproject creates one
automatically.

http://docs.djangoproject.com/en/dev/ref/settings/#secret-key

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Secret key

[Joan Miller]

For what is used the key `SECRET_KEY`?

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Secret Key

[Malcolm Tredinnick]

On Wed, 2006-08-16 at 00:16 +, Seth Buntin wrote:
> This might be a stupid question (and maybe off topic) but what does the
> secret key do and why is it there?

If we told you it wouldn't be secret, now would it? Really... people
should think before asking these question... :-)

More seriously, it is used to salt various strings (add a random bit of
content to them) before we create hashes in various places. Ironically,
I can't find anywhere we are actually using it as key for some
reversible process -- so it's really SECRET_SALT (mmm..
SECRET_SAUCE...).

Just grepping through the source tree for all occurrences of the string
might give you an idea of where it's used.

Best wishes,
Malcolm


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users
-~--~~~~--~~--~--~---

Re: Secret Key

[limodou]

On 8/16/06, Seth Buntin <[EMAIL PROTECTED]> wrote:
>
> This might be a stupid question (and maybe off topic) but what does the
> secret key do and why is it there?
>
It's used to deal with the password. Of cause the password is processed by MD5.

-- 
I like python!
My Blog: http://www.donews.net/limodou
My Django Site: http://www.djangocn.org
NewEdit Maillist: http://groups.google.com/group/NewEdit

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users
-~--~~~~--~~--~--~---

Secret Key

[Seth Buntin]

This might be a stupid question (and maybe off topic) but what does the
secret key do and why is it there?


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users
-~--~~~~--~~--~--~---