保持秘密钥匙 [英] Keep Secret Keys Out

问题描述

local_settings.py反模式的原因之一是将SECRET_KEY，AWS 键等.设置文件中的值有问题:

One of the causes of the local_settings.py anti-pattern is that putting SECRET_KEY, AWS keys, etc.. values into settings files has problem:

• 秘密通常应该是:秘密！将它们保持在版本控制中意味着 拥有存储库访问权限的每个人都可以访问它们.

• Secrets often should be just that: secret! Keeping them in version control means that everyone with repository access has access to them.

我的问题是如何将所有密钥保密?

My question is how to keep all keys as secret?

推荐答案

将local_settings.py数据存储在使用GPG加密的文件中-最好严格按照key=value行进行解析并分配给字典(另一种有吸引力的方法)将其作为可执行python，但是配置文件中的可执行代码使我发抖.

Store your local_settings.py data in a file encrypted with GPG - preferably as strictly key=value lines which you parse and assign to a dict (the other attractive approach would be to have it as executable python, but executable code in config files makes me shiver).

有一个python gpg模块，所以这不是问题.从钥匙圈中获取钥匙，并使用GPG钥匙圈管理工具，这样您就不必继续输入钥匙串密码.确保您直接从加密文件中读取数据，而不仅仅是创建读取的解密临时文件.这是失败的秘诀.

There's a python gpg module so that's not a problem. Get your keys from your keyring, and use the GPG keyring management tools so you don't have to keep typing in your keychain password. Make sure you are reading the data straight from the encrypted file, and not just creating a decrypted temporary file which you read in. That's a recipe for fail.

那只是一个轮廓，您必须自己构建它.

That's just an outline, you'll have to build it yourself.

通过这种方式，秘密数据仅保留在进程存储空间中，而不保留在文件或环境变量中.

This way the secret data remains solely in the process memory space, and not in a file or in environment variables.

这篇关于保持秘密钥匙的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！