Build Django Applications
Without Exposing Secrets

Django icon

How to keep secrets safe and in sync

Provision database passwords, API keys, and other secrets to your Django app, without keeping them in Git and without having to change your Python code.

Step 1

Replace plaintext secrets with references

Collect all secrets from your settings.py, orchestrator manifests, .env file, or any other config file, and use the SecretHub CLI to encrypt and centrally store them.


In your Python code there’s no need to import a library or SDK of some sort. You can just read secrets from environment variables.

settings.py

import os

DB_USER = os.getenv('DB_USER')

DB_PASSWORD = os.getenv('DB_PASSWORD')

API_KEY = os.getenv('API_KEY')


To specify the secrets your Django app needs, create a file named secrethub.env:

secrethub.env

DB_USER     = {{ company/app/db/user }}
DB_PASSWORD = {{ company/app/db/password }}
API_KEY     = {{ company/app/api/key }}

If you’re familiar with .env files in Python: you can see a secrethub.env file as a templated version of a regular .env file that can now be checked into Git and shared freely with the world, as it holds no secrets!

Step 2

Load secrets into your Django app the moment it starts

To automatically load the referenced secrets on startup, all you need to do is include the SecretHub CLI in your Django application launch script.

Before

manage.py runserver

After

secrethub run -- manage.py runserver
How do I Dockerize this?

To make this work for your Django app in Docker, you can just add the SecretHub binary to your Dockerfile. It's lightweight and works with your favorite package manager. For more information on this topic, see the Docker guide →

Step 3

Control & monitor secret reads done by your Django app

Every time your Django app starts, secret reads gets recorded on the audit log. Restrict access to only the secrets it needs and know that you can revoke access with a single command.

Audit log of Django reading API key

👋 Goodbye plaintext secrets

  • All secrets are end-to-end encrypted, access controlled, and auditable
  • A single source of truth to keep all systems, apps, and services in sync
  • No operations and maintenance overhead in hosting a complex secret server

Unify secrets management
across all software delivery phases

You don't have to reinvent the wheel for every platform you run your Django app on. Use a single tool to keep secrets safe and in sync across your entire stack.