A safe way to store Django environmental Variables

django, python3
pip install django-envcrypto==0.8.7


Why use Django-Envcrypto

Django-Envcrypto allows you to safely store your environment variables in your code repository. Furthermore, you can have different sets of variables for multiple deployment levels. It's easy to use and comes with great command line tools.


You can easly install django-envcrypto with pip by running:

pip install django-envcrypto


After you install django-envcrypto all you need to do is to add it to your Djano INSTALLED_APPS variable on your file


Next you can use it to create your first deploy level

./ env-create debug

This will create a debug.env file in the root of your Django project with a new django SECRET_KEY. It also outputs the key for this deploy level. Make sure you save that key, as you will never be able to recover it.

You SHOULD commit this .env file in your code repository. It's perfectly save, has it's contents are encrypted.

At this state you can export this key to your environment, as django-envcrypto can read it from the KEY variable.

Lastly, add Django-Envcrypto variables to your django project

from envcrypto import DeployLevel

# Please add a placeholder for your SECRET_KEY, as Django will raise an exception if it is not defined on the file. The secret key will be replaced with a unique one for each DeployLevel automatically.

DEPLOY = DeployLevel()


Variable Management

Create a Environment

./ env-create envname

Creates a new environment file, with a new django SECRET_KEY. There is a default Deployment list, but be sure to create your own if you are creating environments other then ['debug', 'staging', 'production']. For instance:

from enum import Enum
class MyCustomDeployment(Enum):

    DEBUG = 'debug'
    MULTIVERSE = 'multiverse'
    ENVNAME = 'envname'

and pass it to your DeployLevel.

DEPLOY = DeployLevel(levels=MyCustomDeployment)

Add a Variable

./ env-add -k ENVKEY VAR1 value1

Adds a variable and it value to the environment specified with ENVKEY. If you omit the -k parameter django-envcrypto will read it from your environment.

Delete a Variable

./ env-delete -k ENVKEY VAR1

Deletes VAR1 from the specified environment. If you omit the -k parameter django-envcrypto will read it from your environment.

Show all variables

./ env-show -k ENVKEY

Show all the variables to that environment. If you omit the -k parameter django-envcrypto will read it from your environment.

Create a new symetric key

./ env-key

Create a new key. This is only to be used as a helper function.

Encrypt / Decrypt value

./ env-encryption TESTVALUE -k rmFpYnhZ0FzOj2ira9ViW7CwItln-we8eY5yn38t1O8=
./ env-encryption Z0FBQUFBQmNFbjBKRHNfeElmMTVXQ0ppZkJvQXZtb0xsYmhkVGJtLUVwRVF6eHdTU09XSnFxaVhzdzA2YUc4azlVMXdTLVNXVHBhS1ZYN1BpMGFIRE9uRjdINUkyaVk2MFE9PQ== -k rmFpYnhZ0FzOj2ira9ViW7CwItln-we8eY5yn38t1O8= -d

Encrypt a value or decrypt a digest using a key. This is a helper function.

Transcode to another environment

./ env-show -k ENVKEY -t NEWENVKEY

Transcodes all the current ENVKEY variables to the new NEWENVKEY. Django-envcrypto will overwrite any variable that already exists on the new NEWENVKEY (except for the internal variables like SECRET_KEY). If you omit the -k parameter django-envcrypto will read it from your environment.

Key rotation

./ env-rotate

Creates a new KEY (and outputs it) while using it to re-encrypt all the variables. It also creates a new Django SECRET_KEY, so any feature that relies on it might require user action (please check Django docs). This should be your first step into rotating your keys, and any secret you are storing on env-crypto should also be rotated at the apropriate provider.

Level Management

When Django initializes, django-envproject reads the .env files and determines in with deployment level it currently is. You can read that level from your DEPLOY variable:

if DEPLOY.LEVEL is Deployment.DEBUG:
    DEBUG = True

This allows you to configure custom commands to each of your deploy levels. You can also read that level from anywhere on your code using:

from django.conf import settings
from envcrypto import Deployment # as an example, you might use your MyCustomDeployment class

if settings.DEPLOY.LEVEL in [Deployment.DEBUG, Deployment.STAGING]:
  print("Not in production!")



Accessing the secrets

Assuming you've just added a TWILIO_AUTH_TOKEN secret key through the steps above, it's worth noticing that in order to access the variable from anywhere within your project, all you'll have to do is:

import settings
twilio_token = settings.TWILIO_AUTH_TOKEN


Currently, Django-Envcrypto supports python (3.4+) because it uses Enumerators (Enum) under the hood. We might extend the support in the future.