djangodjango-settings

Where to store secret keys DJANGO


For the life of me, I have been looking for this everywhere and have not found the answer. I hope I am not posting a duplicate.

It is advised everywhere that you should keep your secret keys in a separate file from your general settings.py. Also, that you should never commit your "secret.py" file that contains keys such as SECRET_KEY, AWS_SECRET_KEY and so on.

My question is: In your production server, you need to reference your secret keys, that means that your "secret.py" settings file, should live somewhere around the server right? If so, how do you protect your secret keys in production?


Solution

  • See the Django deployment docs for a discussion on this.

    There's quite a few options for production. The way I do it is by setting my sensitive data variables as environmental variables on the production environments. Then I retrieve the variables in the settings.py via os.environ like so:

    import os
    SECRET_KEY = os.environ['SECRET_KEY']
    

    Another possible option is to copy in the secret.py file via your deploy script.

    I'm sure there are also other specific options for different web servers.