Monday, April 1, 2013

SECURE Python Django Database Settings

I have started to use Python Django web framework  (The Web framework for perfectionists with deadlines) and was shocked that still, in 2013, the official documentation (https://docs.djangoproject.com/en/dev/ref/settings/) and the "experts" on stackoverflow (http://stackoverflow.com/questions/3540339/is-it-okay-that-database-credentials-are-stored-in-plain-text) recommend storing database connection credentials in clear-text. It is not like the database stored confidential information(e.g. Intellectual Property), private or sensitive information, etc.

Python has a keyring library (https://pypi.python.org/pypi/keyring) that provides an easy way to access the system keyring service from python and can be used in an application to safely store passwords.

To install it on Ubuntu, make sure you have up-to-date pip Python package:
sudo apt-get install python-pip
sudo pip install pip -U

Then, using pip, install the keyring library:
sudo pip install keyring
Finally, update the settings.py with the following code to securely store authentication credentials:

import keyring
import getpass
database_name = 'schema_name'
username = 'administrator'
password = keyring.get_password(database_name, username)

while password == None :
    password = getpass.getpass(database_name + " Password:\n")
    # store the password
    keyring.set_password(database_name, username, password)

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql', 
        'NAME': database_name,      # Or path to database file if using sqlite3.
        'USER': username,                 # Not used with sqlite3.
        'PASSWORD': password,      # Not used with sqlite3.
        'HOST': db.inteliident.com',   # Set to empty string for localhost. Not used with sqlite3.
        'PORT': '3306',                       # Set to empty string for default. Not used with sqlite3.
    }
}

Simple, isn't it?