Where to store secret keys DJANGO

Question

For the life of me, I have been looking for this everywhere and have not found the answer. I hope I am not posting a duplicate.

It is advised everywhere that you should keep your secret keys in a separate file from your general settings.py. Also, that you should never commit your "secret.py" file that contains keys such as SECRET_KEY, AWS_SECRET_KEY and so on.

My question is: In your production server, you need to reference your secret keys, that means that your "secret.py" settings file, should live somewhere around the server right? If so, how do you protect your secret keys in production?

Answer 1

I wanted to add a new answer because, as a beginner, the previous accepted answer didn't make a lot of sense to me (it was only one part of the puzzle).

So here's how I store my keys both LOCALLY and in PRODUCTION (Heroku, and others).

Note: You really only have to do this if you plan on putting your project online. If it's just a local project, no need.

I also made a video tutorial for people who prefer that format.

1) Install python-dotenv to create a local project environment to store your secret key.

pip install python-dotenv 

2) Create a .env file in your base directory (where manage.py is).

YourDjangoProject ├───project │   ├───__init__.py │   ├───asgi.py │   ├───settings.py │   ├───urls.py │   └───wsgi.py ├───.env ├───manage.py └───db.sqlite3 

If you have a Heroku project, it should look something like this:

YourDjangoProject ├───.git ├───project │   ├───__init__.py │   ├───asgi.py │   ├───settings.py │   ├───urls.py │   └───wsgi.py ├───venv ├───.env ├───.gitignore ├───manage.py ├───Procfile ├───requirements.txt └───runtime.txt 

3) Add .env to your .gitignore file.

echo .env > .gitignore  # Or just open your .gitignore and type in .env 

This is how you keep your secret key more secure because you don't upload your .env file to git or heroku (or wherever else).

4) Add your SECRET_KEY from your settings.py file into the .env file like so (without quotes)

**Inside of your .env file** SECRET_KEY=qolwvjicds5p53gvod1pyrz*%2uykjw&a^&c4moab!w=&16ou7 # <- Example key, SECRET_KEY=yoursecretkey 

5) Inside of your settings.py file, add the following settings:

import os import dotenv # <- New  # Add .env variables anywhere before SECRET_KEY dotenv_file = os.path.join(BASE_DIR, ".env") if os.path.isfile(dotenv_file):     dotenv.load_dotenv(dotenv_file)  # UPDATE secret key SECRET_KEY = os.environ['SECRET_KEY'] # Instead of your actual secret key 

or, thanks to @Ashkay Chandran's answer:

from dotenv import load_dotenv, find_dotenv  load_dotenv(find_dotenv())  SECRET_KEY = os.environ['SECRET_KEY'] 

And now your secret key is successfully stored locally.

Update: I found out you can also use the config method from the package python-decouple that seems to be a bit easier:

from decouple import config  SECRET_KEY = config('SECRET_KEY')  

Now you don't need to import os or use dotenv because it takes care of those parts for you AND will still use the .env file. I started using this in all of my projects.

6) Add the SECRET_KEY environment variable on your host (such as Heroku).

---

I work mostly with Heroku sites, so if you're wanting to use Heroku for a Django project, this part is for you.

This assumes that you already have a Heroku project setup and have Heroku CLI downloaded on your computer.

You have 2 options:

1. From Command Line / Terminal, you can enter the following command in your project's directory:

heroku config:set SECRET_KEY=yoursecretkey # Again, no quotes. 

2. You can go to your Heroku dashboard, click on your app, go to your apps settings, and see the "Config Vars" section and click "Reveal Vars" or "Add Vars" and add your SECRET_KEY there.

Then, when you push your project to Heroku through git, it should be working properly without any issue.

and that's it! 🙂

This answer was targeted towards total beginners / intermediates to hopefully cut through any confusion (because it was definitely confusing for me).

Hope this helps!

Happy coding.

Answer 2

See the Django deployment docs for a discussion on this.

There's quite a few options for production. The way I do it is by setting my sensitive data variables as environmental variables on the production environments. Then I retrieve the variables in the settings.py via os.environ like so:

import os SECRET_KEY = os.environ['SECRET_KEY'] 

Another possible option is to copy in the secret.py file via your deploy script.

I'm sure there are also other specific options for different web servers.