Metadata-Version: 2.1
Name: django-encrypted-secrets
Version: 0.9.1
Summary: A Django app for managing secrets.
Home-page: https://github.com/nzaillian/django-encrypted-secrets
Author: Axiomatic LLC
Author-email: contact@axiomatic.im
License: MIT License
Platform: UNKNOWN
Classifier: Environment :: Web Environment
Classifier: Framework :: Django
Classifier: Framework :: Django :: 2.0
Classifier: Framework :: Django :: 2.1
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3 :: Only
Description-Content-Type: text/markdown
Requires-Dist: PyCrypto
Requires-Dist: PyYAML

# django-encrypted-secrets

`django-encrypted-secrets` brings Rails-style [encrypted credentials](https://edgeguides.rubyonrails.org/security.html#custom-credentials) to the [Django web framework](https://www.djangoproject.com/).

## Installation

To install `django-encrypted-secrets`, first pip install the module:

    $ pip install django-encrypted-secrets


Add `encrypted_secrets` to INSTALLED_APPS in your django settings file:

    INSTALLED_APPS = [
        ...
        'encrypted_secrets'
    ]

Finally, you must call `load_secrets()` from within your `manage.py` and `wsgi.py` files:


```
#!/usr/bin/env python
import os
import sys
from encrypted_secrets import load_secrets

if __name__ == "__main__":
    load_secrets()
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "yourapp.settings")
    # ...
```

## Usage

`django-encrypted-secrets` works by using a key (stored locally in `master.key` file or read from the environment variable `DJANGO_MASTER_KEY`) and reading/writing secrets to the encrypted file `secrets.yml.enc`.

    ./manage.py init_secrets

You can edit the secrets by running:

    ./manage.py edit_secrets

When you save the file in your editor, its contents are encrypted and used to overwrite the `secrets.yml.enc` file.

Finally, to read secrets within your codebase, use the `get_secret` utility:

```
from encrypted_secrets import get_secret

# ...

secret_api_key = get_secret("secret_api_key")

````

You should always keep your `master.key` file `.gitignored`.

## env mode (experimental)

`django-encrypted-secrets` experimentally supports loading key-value pairs from an encrypted file written in the [dotenv](https://github.com/theskumar/python-dotenv) format directly into the environment. To use this style of variable loading, you must pass `env_mode=True` to your `load_secrets` call in `manage.py` and `wsgi.py`:

```
#!/usr/bin/env python
import os
import sys
from encrypted_secrets import load_secrets

if __name__ == "__main__":
    load_secrets(env_mode=True) # <- important
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "yourapp.settings")
    # ...
```

You must also pass the `--mode=env` flag to the `init_secrets` management command when initializing `django-encrypted-secrets`:

```
$ ./manage.py init_secrets --mode=env
```

A template encrypted dotenv-type file will be written to `secrets.env.enc`. When using env mode, secrets are automatically merged into the environment. This means that, in addition to being able to read secrets using the `get_secret` helper method, you may also read them as ordinary environment variables:

```
import os

secret_api_key = os.environ.get('SECRET_API_KEY')
```

## Production considerations

`django-encrypted-secrets` looks for the encrypted secrets file within the current working directory from which you execute management commands (using `os.getcwd()`). This is implicitly the project root directory. Depending on your production server configuration, `os.getcwd()` may not actully return the project root. For production, we therefore recommend you explicitly set a `DJANGO_SECRETS_ROOT` environment variable pointing to the project root to hint to `django-encrypted-secrets` where it should look for the encrypted secrets file.


