django-dotenv icon indicating copy to clipboard operation
django-dotenv copied to clipboard

Published 20 hours ago verified publisher icon jpadilla

Allow (or enforce) encryption of .env file

Open YPCrumble opened this issue 7 years ago • 5 comments

Hi - thanks for building this great repo!

I noticed that you suggest adding .env to the .gitignore file - presumably because the config shouldn't be exposed as part of the repository?

Do you have a suggestion on how to share the .env file with members of my team?

The best answer I could find suggests checking in the .env file and encrypting it as an option.

What do maintainers think about allowing encryption of the .env file with one master password? I'd be happy to help with a PR if it would be welcomed and someone could help me think through best practice implementation.

Or, is there a better way to share the .env file with my team?

YPCrumble avatar Oct 31 '18 13:10 YPCrumble

I think the typical way is to have .env.example in your repo, with comments to explain the settings, default values where possible (e.g. DATABASE_URL="postgres://localhost:5432/project"), and instructions for real secrets (GOOGLE_MAPS_API_KEY="ask in slack channel XYZ" or "see 1password/project/google maps key"). Then the README can instruct people to copy that file to .env and edit it.

merwok avatar Dec 17 '18 02:12 merwok

@merwok but how would that work when you kill instances and make new ones all the time? For every new deploy you will need to manually copy the file from one place to another so that doesn't seem pragmatic.

I think encrypting the file is the more realistic. Then you have everything in one place and you only need to pass one environment variable (the decryption key) to the server.

Pithikos avatar Jan 10 '19 15:01 Pithikos

Ah that’s another problem! What I said about copying .env.example to .env and changing values is for local dev, i.e. to help my coworkers set up their environment.

For server deployment, this becomes a config management issue. If I run on Heroku, I already have an interface to define environment variables. On another container platform, I have docker secrets. On AWS EC2, I’ll get my secrets from SSM. On another VM, maybe I’ll have an ansible vault that creates a .env file.

merwok avatar Jan 10 '19 17:01 merwok

@merwok In your EC2/SSM example, do you still use this library?

joshgeller avatar May 27 '21 20:05 joshgeller

No, I connect to the SSM API (using https://github.com/caravancoop/configstore/) to get settings, without writing them to an env file.

merwok avatar May 27 '21 23:05 merwok