How to keep a SECRET_KEY secret in Django?

Question

The Django documentation suggests keeping the SECRET_KEY in environmental variables rather than in the settings.py file.

Why is this considered safer? The environmental variables are plain text-files which offer the same level of protection as settings.py. Even if the file rw permissions are set to root-only, I assume that this is not hard to break.

My question is: which other options are there to store the SECRET_KEY?

Or the master key used for encryption. From django-encrypted-secrets :

django-encrypted-secrets works by using a key (stored locally in master.key file or read from the environment variable DJANGO_MASTER_KEY) and reading/writing secrets to the encrypted file secrets.yml.enc.

If there is no other option than a plain text-file or environmental variable stored locally. How can this one be protected properly?

Answer 1

The reason it's considered safer is because you should have your settings file in git or some other VCS to have consistent development environments, but your secrets should be outside of it. This way, even developers don't have the production secrets if they don't need them.

It doesn't need any extra protection as long as you're careful about how you deploy your code, who can access the servers, etc.

Your question also asks about other methods, so...

You could encrypt it like you have there, but this will always require a master key that also needs securing somehow.

Another option is to use a text file on the server.

A good option if you want to encrypt the secrets is to store them encrypted in your continuous integration solution, which injects them into the environment at deploy time. Travis CI, GitHub Actions, more or less any CI solution can do this.

But in general, just keeping it out of VCS and limiting the access to the secrets is usually good enough.