Handling Passwords and Secret Keys using Environment Variables

What should we do with all the secret stuff like passwords or secret keys that we have in our code?

The simplest way and the wrong way to handle these important credentials is to hardcode it in our code. When you push the code to the repository you are sharing your secret stuff with everybody else in your project. Even if you are working alone it can cause problems as anyone who sees your code will also have access to your secret information.

Keep them in environment variables

The safest way to handle your secret keys/password is saving them in envirnoment variables. In this post we will learn how to save important credentials in environment variables and access them in python script.

Linux

To set password or secret keys in environment variable on Linux(and Mac) you need to modify .bash_profile file that is in your home directory. You need to open the terminal and cd to the home directory.

$ cd

Now, open the .bash_profile file in any text editor of your choice.

$ nano .bash_profile

We need to add our environment variable in this file. For that add following content at the top of the file.

export USER="username"
export PASSWORD="password"

Note: There should not be any whitespace on either side of = sign.

Save the nano file by pressing ctrl + x and Y.
Now, use the following command to effect the changes.

$ source .bash_profile

Using a separate .env file

The above mentioned method saves the secret credentials system-wide which may not be good idea if you have multiple applications.

The solution is to store the secrets in a seperate .env file.
A dotenv file contains only text, where it has one environment variable assignment per line.
Create a .env file in your project and add your secret keys or passwords:

USER=username
PASSWORD=password

Important: Make sure to add it in your .gitignore file.

Now, you need to install python-dotenvpackage. python-dotenv is a Python package that lets your Python app read a .env file. This package will search for a .env and if it finds one, will expose the variables in it to the app.

 $ pip install -U python-dotenv

Windows

To save passwords and secret keys in environment variables on Windows, you will need to open Advance System Setting.

You can navigate to control panel > System and Security > System > Advanced system Settings.
Now in Advance System Setting click on Environment Variables.
Here we can add new user variables and new system variables. We will add user variable by clicking New under user variables.

In the new window you can add Variable name and Variable value and click ok.
Now, click Ok on Environment Variables window to save changes.

Access the environmental variables

To access these variables in our python script, we need to import the os module.
We can do that by using os.environ.get() method and passing the key we want to access.

If you are using .python-dotenv method you need to add a couple of lines at the start of your application.

from dotenv import load_dotenv
load_dotenv()

In case of Django project, you should add the above script at the top of wsgi.py and manage.py file.

from dotenv import load_dotenv   #for python-dotenv method
load_dotenv()                    #for python-dotenv method

import os 

user_name = os.environ.get('USER')
password = os.environ.get('password')

print(user_name, password)

# output

username password

Comments

[Nicola Erario]

Can I suggest to use .env file per project?
You don't have to save secrets system-wide and can manage them simply with a dotenv file in your project folder.
Install python-dotenv like package

[Biplov]

Thank you for your suggestion. I have updated the post with a way to store credentials in a separate .env file.

[Özgür Kalan]

Hi,

You may explicitly provide a path to your .env file.

from my notes:

# OR, explicitly providing path to '.env'
from pathlib import Path  # python3 only
env_path = Path('.') / '.env'
load_dotenv(dotenv_path=env_path)

# settings.py
import os
SECRET_KEY = os.getenv("EMAIL")
DATABASE_PASSWORD = os.getenv("DATABASE_PASSWORD")

ps: I use Notion.so to jot down snippets, notes etc.

[aderchox]

Thank you for the post. python-dotenv is a very good idea.

[Mateusz Jarzyna]

Keeping passwords in .bash_profile is terrible idea. Especially when you have more than one application.
The much better way is to store the credentials in files and take care of the chmod.

[Biplov]

Thank you for your suggestion. I have updated the post with a way to store credentials in a separate file in a project.

[santra11]

Just a question, I saved the secret key in the bash_profile in macOs. Now when I open the Jupyter notebook, then I is the call the api key, "None" comes up in the output

[nityaoberoi09]

used the same method but its giving an error as it is showing a nonetype object please help!!!