Sensitive secrets

Using .secrets files

To safely store sensitive data Dynaconf also searches for a file to look for data like tokens and passwords.

example :

[default]
password = "sek@987342$"

The secrets file supports all the environment definitions supported in the settings file.

IMPORTANT: The reason to use a file is the ability to omit this file when commiting to the repository so a recommended should include line.

Using Vault server

The vaultproject.io/ is a key:value store for secrets and Dynaconf can load variables from a Vault secret.

  1. Run a vault server

Run a Vault server installed or via docker:

$ docker run -d -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -p 8200:8200 vault
  1. Install support for vault in dynaconf

$ pip install dynaconf[vault]
  1. In your file or in exported environment variables define:

VAULT_ENABLED_FOR_DYNACONF=true
VAULT_URL_FOR_DYNACONF="http://localhost:8200"
VAULT_TOKEN_FOR_DYNACONF="myroot"

Now you can have keys like and defined in the vault and dynaconf will read it.

To write a new secret you can use http://localhost:8200 web admin and write keys under the secret database.

You can also use the Dynaconf writer via console

$ dynaconf write vault -s password=123456