Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

I don't think you are overthinking this. 

On Thu, 30 Jan 2020, 12:40 Tom Moore, <hello@thomasmoore.me> wrote:

Hi there, I'm following the guidelines by making sure the environment variables are stored outside of the settings.py files.

The project is "dockerised" and so the environment variables have been stored in files docker-compose.yml and docker-compose-prod.yml.

What we do isn't perfect but does limit our exposure:

- we don't store the production key(s) in git at all. 

- instead, we fetch them at deployment time using a secure connection to the store, and then inject them into our runtime (we are still in a vm) 

The secure connection is the less than ideal part, since we require a human to provide the private key. In theory, we can replace that with automation at the cost of a short insecure connection (or some other complex key management). But we can change that at will as our scale needs evolve. 

This includes things like the project's secret key, API keys, and database passwords.

My question is: 

• Just because environment variables are stored in .yml files, won't they be equally insecure the moment I commit the project folder to a git repo (and especially if I push that repo to GitHub)?

e.g. the Secret Key will forevermore be stored in the git repo (in earlier versions, even if I later move it to another file in subsequent commits).

Is there an even more secure way of storing environment variables? Or am I overthinking it (as I'm the only developer and the GitHub repo is set to Private)?

Many thanks in advance for your help.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/887bcd5b-4525-4a54-a4e5-5eae32b20041%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHAc2jdrdbroRUxFEtfiia7H0bGvuuWkEjg9XP2COumNqXk3kw%40mail.gmail.com.