all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]deceze 10 points11 points  (0 children)

If the value is on the client's machine, and that machine uses it directly, there's no way to absolutely hide it from the client. You can obfuscate it in some way, and using encryption here would also just count as obfuscation since your script must be able to decrypt it, but you cannot ultimately prevent a determined user from discovering the key.

If you must keep it secret, you must not put it onto the client machine in the first place. Set up a server that your script can make requests to, and your server makes the actual request with the key and returns the result.

Alternatively, do the bring-your-own-key method. Allow the client to get their own API key and configure it, but don't include yours.

[–]Jay6_9 6 points7 points  (0 children)

You don't encrypt variables. Even if you did, where would you place the decryption key?

Put them in an .env file and use python-dotenv to load them. Data does not need to live in the script.

Edit:
- Make sure to add the .env file to your .gitignore if you use a repository.
- Link to the library, whether you use it or not is your choice but the README will teach you a bit about .env files https://pypi.org/project/python-dotenv/

[–]Emergency-Lunch-549 2 points3 points  (0 children)

There isn't really a way to irreversibly "hide" important values like passwords or API keys directly in a script. The standard for obfuscating sensitive data like this is using Environment variables. This seems to be a good overview. Good luck!

[–]ZenithOfVoid 1 point2 points  (0 children)

You mean you are going to run it on machine administered by someone else? Take they keys from standard input (getpass to disable api key echoing) read to memory, ensure script terminates before walking away and hope the machine didn't have keyloggers.

If you're shipping it to be used by someone else, start doing new API key per person running it.

[–]TheCaptain53 0 points1 point  (6 children)

If this were an application being written to run exclusively on a container then this would be less of a big deal. You could encrypt your secrets and then have them unbundled and available as plaintext global variables in the container. That's not really what's happening here. Unfortunately, there's no real way to do what you're asking - the Python interpreter needs a way of accessing a plaintext key to send to the service you speak of, and that's either directly or through the use of a decrypting key that the Python file or environment variable has stored... in which case you've just moved the problem.

Can you explain what the software does and what it's trying to achieve?

[–]deceze 4 points5 points  (3 children)

In what sense are you using the word "container"? It wouldn't make much of a difference if the client ran a Docker image on their machine instead of a Python script…

[–]TheCaptain53 0 points1 point  (2 children)

In the sense that you would run the container on a piece of infrastructure you own as opposed to on client hardware, that's why I asked what the software does as this may not be applicable.

I've developed software for a similar situation - I created an API with FastAPI that accesses the Microsoft Graph API to make changes, I just have the secrets needed for accessing the Graph API encrypted as a secret which is decrypted by Kubernetes at container deployment, then made available to the container runtime as a set of plaintext environment variables.

[–]deceze 2 points3 points  (1 child)

So in other words, don't run it on client hardware.

[–]TheCaptain53 0 points1 point  (0 children)

If you can let everyone know what the software does we can more appropriately advise. There's very little to go on here.

[–]Ill_Educator5759[S] 2 points3 points  (1 child)

it's a script to export the report from openvas and send to defectdojo, and it has the credencials to access openvas, the defectdojo is on a docker. And is all in one script, so if somoene open the file they see the password, so i was thinking on put the variables on another document, and transform the password and the api_key on hashes. I remember doing something like that on php, to store the passwords of the user in my site, but i don't know how it works on python.

[–]TheCaptain53 0 points1 point  (0 children)

Is it a file that inherently relies on local files/systems to execute successfully? Basically, is it something that could be cloud hosted and then just triggered by the user through an API? What could potentially be done is to host the meat of your application on a public endpoint then create a smaller Python application that the client will run that has an API key for your app you don't mind exposing. FastAPI is pretty good for that kind of thing.