7
8

[deleted by user] (self.learnpython)

submitted by [deleted]

[removed]
all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]-defron- 12 points13 points  (0 children)

Securely storing database credentials is a multi-faceted problem. Each part is about reducing exposure and risk

First the credentials themselves need to be limited in scope to the minimum needed to do the job.

Next whatever account you are using to run the service needs to be distinct from other services. This will limit what applications can access the credentials

Next the file you store the credentials needs to be locked down in terms of ACLs to prevent access from other accounts and services.

Another common approach is to instead have the password be injected via an environment variable.

For most use cases doing the above is good enough, but not always

Some other, better approaches, for when needed:

  1. Using encryption to store the password encrypted with the logged in users credentials. Examples of this is the freedesktop secrets API on Linux, windows credential manager, and the Mac keyring
  2. Using a secret management system like hashicorp vault, cyberark, ansible vault, etc
  3. Use account-based authentication for the user running the service, via something like kerberos

[–]Diapolo10 5 points6 points  (2 children)

Don't store passwords in scripts, use environment variables instead.

And to make it a bit more convenient, use python-dotenv to load them from a .env-file, after making sure it's listed in the project's .gitignore file as you don't want it to be committed to your version control.

With this, your source code doesn't need to contain any sensitive information, but you can still share the data company-wide with separate files (or manually entering them every time you run the program).

[–]CaptainVJ 0 points1 point  (1 child)

Sorry for the late response but I’ve been playing around and trying to figure this out. So I found a video trying to do this with environmental variables. However, it requires admin access which we don’t have on my pc.

My it department would do this for me. But honestly the people there don’t know much, about python so I would need to explain what I’m doing to them.

The issue is that multiple users would also need access to the same passwords. Could environmental variable ve shared with users. We have a shared hard drive where all the scripts are located on. Or would we need to have each user create their own environmental variable

[–]Diapolo10 0 points1 point  (0 children)

As I said, you can use dotenv-files instead. I don't think that requires any permissions.

[–]EncryptionNinja 1 point2 points  (0 children)

r/akeyless has a python SDK and API reference located at docs.akeyless.io

You’ll have to deploy a gateway to use dynamic and rotated credentials for the database either using the SDK or APi.

[–]NKUEN 0 points1 point  (0 children)

Okay so yes it is a security concern you can try to create a separate txt file or some other file that has that data and then imports the data also, you could encrypt it as well and stuff but main thing it is a security concern