堆栈内存溢出
  简体   繁体   English

如何在 Django 中保密 SECRET_KEY?

[英]How to keep a SECRET_KEY secret in Django?

 原文  2020-05-09 15:42:55       python/ django/ encryption/ key/ secret-key

问题描述

The Django documentation suggests keeping the SECRET_KEY in environmental variables rather than in the settings.py file. Django 文档建议将 SECRET_KEY 保留在环境变量中,而不是在 settings.py 文件中。

Why is this considered safer?为什么这被认为更安全? The environmental variables are plain text-files which offer the same level of protection as settings.py.环境变量是纯文本文件,提供与 settings.py 相同级别的保护。 Even if the file rw permissions are set to root-only, I assume that this is not hard to break.即使文件 rw 权限设置为 root-only,我认为这并不难破解。

My question is: which other options are there to store the SECRET_KEY?我的问题是:还有哪些其他选项可以存储 SECRET_KEY?

Or the master key used for encryption.或用于加密的主密钥。 From django-encrypted-secrets :来自django-encrypted-secrets

django-encrypted-secrets works by using a key (stored locally in master.key file or read from the environment variable DJANGO_MASTER_KEY) and reading/writing secrets to the encrypted file secrets.yml.enc. django-encrypted-secrets 通过使用密钥(本地存储在 master.key 文件中或从环境变量DJANGO_MASTER_KEY 读取)和读取/写入加密文件 secrets.yml.enc 的秘密来工作。

If there is no other option than a plain text-file or environmental variable stored locally.如果除了本地存储的纯文本文件或环境变量之外别无选择。 How can this one be protected properly?如何妥善保护这一点?

1 个解决方案

解决方案1
 4 已采纳  2020-05-09 15:57:28

The reason it's considered safer is because you should have your settings file in git or some other VCS to have consistent development environments, but your secrets should be outside of it.它被认为更安全的原因是因为您应该在 git 或其他一些 VCS 中拥有您的设置文件以拥有一致的开发环境,但您的秘密应该在它之外。 This way, even developers don't have the production secrets if they don't need them.这样,即使开发人员不需要生产机密,他们也没有生产机密。

It doesn't need any extra protection as long as you're careful about how you deploy your code, who can access the servers, etc.只要您注意如何部署代码、谁可以访问服务器等,它就不需要任何额外的保护。

Your question also asks about other methods, so...您的问题还询问其他方法,所以...

You could encrypt it like you have there, but this will always require a master key that also needs securing somehow.您可以像在那里一样对其进行加密,但这总是需要一个也需要以某种方式保护的主密钥。

Another option is to use a text file on the server.另一种选择是使用服务器上的文本文件。

A good option if you want to encrypt the secrets is to store them encrypted in your continuous integration solution, which injects them into the environment at deploy time.如果您想加密秘密,一个不错的选择是将它们加密存储在您的持续集成解决方案中,这会在部署时将它们注入环境中。 Travis CI, GitHub Actions, more or less any CI solution can do this. Travis CI,GitHub Actions,或多或少任何 CI 解决方案都可以做到这一点。

But in general, just keeping it out of VCS and limiting the access to the secrets is usually good enough.但一般来说,将其排除在 VCS 之外并限制对机密的访问通常就足够了。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Django设置SECRET_KEY - Django settings SECRET_KEY 部署Django SECRET_KEY - Deploy Django SECRET_KEY VPS 上的 Django SECRET_KEY - Django SECRET_KEY on VPS 当生成的 SECRET_KEY 以“$”开头时,如何从环境文件中转义 Django 中的 SECRET_KEY? - How to escape SECRET_KEY in Django from environment file when generated SECRET_KEY begins with '$'? Django 中的 SECRET_KEY = os.environ['SECRET_KEY'] 如何工作? - How does SECRET_KEY = os.environ['SECRET_KEY'] in Django work? 如何使用virtualenv和Django隐藏我的secret_key? - How to I hide my secret_key using virtualenv and Django? Django 说 SECRET_KEY 不能为空 - Django says SECRET_KEY must not be empty 关于 Django 和 SECRET_KEY 的困惑 - Confusion regarding Django and SECRET_KEY Django 异常:未正确配置 SECRET_KEY - Django exception: Improperly configured SECRET_KEY Django 中的动态 SECRET_KEY 缺点 - Dynamic SECRET_KEY in Django disadvantages
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM