Learn Django

Handling Sensitive Keys

It's best practice not to store sensitive data (e.g. passwords) within the main settings file. These keys should be secured and only given on an as needed basis. This might not be a big deal when one person is working on a project. But when the team starts to grow, and shared code repositories are used, the best thing to do is keep these keys out of the settings file since we've already committed to that approach. It's better to store these keys as environment variables. In this lesson you'll learn how to do that.

Step 1: Handling the Database Password

In the previous lesson you setup the database and configured the settings.py to have the password hardcoded in it. In this step it will be moved to an environment variable.

Set the Database Password Environment Variable on Windows

Here are the steps for Windows.

  1. Open a command prompt
  2. Type setx CRMEASY_DB_PASS <your db password>

Set the Database Password Environment Variable on a Mac

Here are the steps for a Mac.

  1. Open the .bash_profile file and go into edit mode
  2. Add the line below to the top of the file and save it
1
export CRMEASY_DB_PASS=<your db password>

Import the Database Password Environment Variable

Import the database password into the settings.py file by adding two additional lines to the settings file. This password is only needed in the 'development' environment. Add lines 3 & 7 to the settings file as shown below.

1
2
3
4
5
6
7
DEBUG = False
TEMPLATE_DEBUG = DEBUG
CRMEASY_DB_PASS = False
if ENV_ROLE == 'development':
    DEBUG = True
    TEMPLATE_DEBUG = DEBUG
    CRMEASY_DB_PASS = get_env_variable('CRMEASY_DB_PASS')

Update Database Settings

The last step is to remove the password from the settings file and replace it with the environment variable. Modify the DATABASES configuration as shown below. Only the PASSWORD setting has changed.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql_psycopg2',
        'NAME': 'crmeasyDB',
        'USER': 'postgres',
        'PASSWORD': CRMEASY_DB_PASS,
        'HOST': '/tmp',
        'PORT': '5432',
    }
}

Step 2: Handling the Django Secret Key

There is a setting in the settings.py file named SECRET_KEY. This key is part of Django's security system. Given it's part of the security system, it's best to keep this key hidden and safe. Therefore in this step we're going to turn it into an environment variable.

Set the SECRET_KEY Environment Variable on a Mac

The first step is to add the key as an environment variable.

  1. Open the /.../crmeasy/crmapp/settings.py file
  2. Locate the SECRET_KEY line
  3. Copy the secret key value including the quotes
  4. Open the .bash_profile file and go into edit mode
  5. Add the line below to the top of the file and save it
1
export SECRET_KEY=<your secret key>

Set the SECRET_KEY Environment Variable on Windows

Here are the steps for Windows.

  1. Open the /.../crmeasy/crmapp/settings.py file
  2. Locate the SECRET_KEY line
  3. Copy the secret key value including the quotes
  4. Open a command prompt
  5. Type setx SECRET_KEY <your secret key>

Update the Settings.py File

Follow these steps to update the settings.py file.

  1. With the settings.py file open, locate the SECRET_KEY setting. Delete the entire line and add the below code in it's place.
1
2
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = get_env_variable('SECRET_KEY')

Step 3: Validate the Change

  1. Close the terminal, start a new one, navigate to /.../crmeasy and activate the virtual environment
  2. Now test the installation to make sure all is working well - at the terminal type python manage.py runserver. If the server starts with no errors then the changes was successful

Step 4: Commit Changes

Execute these commands to commit your changes in Git.

1
2
3
4
5
# add files
(venv)$ git add .

# commit files
(venv)$ git commit -m "removed keys from settings file; replaced with env vars"

Track your progress with a free account