Monday, April 1, 2013

SECURE Python Django Database Settings

I have started to use Python Django web framework  (The Web framework for perfectionists with deadlines) and was shocked that still, in 2013, the official documentation (https://docs.djangoproject.com/en/dev/ref/settings/) and the "experts" on stackoverflow (http://stackoverflow.com/questions/3540339/is-it-okay-that-database-credentials-are-stored-in-plain-text) recommend storing database connection credentials in clear-text. It is not like the database stored confidential information(e.g. Intellectual Property), private or sensitive information, etc.

Python has a keyring library (https://pypi.python.org/pypi/keyring) that provides an easy way to access the system keyring service from python and can be used in an application to safely store passwords.

To install it on Ubuntu, make sure you have up-to-date pip Python package:
sudo apt-get install python-pip
sudo pip install pip -U

Then, using pip, install the keyring library:
sudo pip install keyring
Finally, update the settings.py with the following code to securely store authentication credentials:

import keyring
import getpass
database_name = 'schema_name'
username = 'administrator'
password = keyring.get_password(database_name, username)

while password == None :
    password = getpass.getpass(database_name + " Password:\n")
    # store the password
    keyring.set_password(database_name, username, password)

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql', 
        'NAME': database_name,      # Or path to database file if using sqlite3.
        'USER': username,                 # Not used with sqlite3.
        'PASSWORD': password,      # Not used with sqlite3.
        'HOST': db.inteliident.com',   # Set to empty string for localhost. Not used with sqlite3.
        'PORT': '3306',                       # Set to empty string for default. Not used with sqlite3.
    }
}

Simple, isn't it?

2 comments:

  1. keyring won't necessarily store your passwords safely. Be sure to check the backend it uses:

    $ python -c 'import keyring; print keyring.get_keyring().__class__.__name__'
    PlaintextKeyring

    If pycrypto is available, installing it will make keyring encrypt your passwords.

    $ pip install pycrypto

    Now your passwords will be stored securely (you will need to enter a password when starting django).

    $ python -c 'import keyring; print keyring.get_keyring().__class__.__name__'
    EncryptedKeyring

    As an aside, if you are using Linux there is a SecretService backend as well but it depends on the dbus-python library, which doesn't install via pip.

    ReplyDelete
  2. I prefer the solution provided by this answer: https://stackoverflow.com/questions/24492956/hiding-secure-django-settings-info-on-webfaction/41654822#41654822

    ReplyDelete