Where to store secret keys DJANGO

For the life of me, I have been looking for this everywhere and have not found the answer. I hope I am not posting a duplicate.

It is advised everywhere that you should keep your secret keys in a separate file from your general settings.py. Also, that you should never commit your "secret.py" file that contains keys such as SECRET_KEY, AWS_SECRET_KEY and so on.

My question is: In your production server, you need to reference your secret keys, that means that your "secret.py" settings file, should live somewhere around the server right? If so, how do you protect your secret keys in production?


I wanted to add a new answer because, as a beginner, the previous accepted answer didn't make a lot of sense to me (it was only one part of the puzzle).

So here's how I store my keys both LOCALLY and in PRODUCTION (Heroku, and others).

Note: You really only have to do this if you plan on putting your project online. If it's just a local project, no need.

I also made a video tutorial for people who prefer that format.

1) Install python-dotenv to create a local project environment to store your secret key.

pip install python-dotenv

2) Create a .env file in your base directory (where manage.py is).

YourDjangoProject
├───project
│   ├───__init__.py
│   ├───asgi.py
│   ├───settings.py
│   ├───urls.py
│   └───wsgi.py
├───.env
├───manage.py
└───db.sqlite3

If you have a Heroku project, it should look something like this:

YourDjangoProject
├───.git
├───project
│   ├───__init__.py
│   ├───asgi.py
│   ├───settings.py
│   ├───urls.py
│   └───wsgi.py
├───venv
├───.env
├───.gitignore
├───manage.py
├───Procfile
├───requirements.txt
└───runtime.txt

3) Add .env to your .gitignore file.

echo .env > .gitignore  # Or just open your .gitignore and type in .env

This is how you keep your secret key more secure because you don't upload your .env file to git or heroku (or wherever else).

4) Add your SECRET_KEY from your settings.py file into the .env file like so (without quotes)

**Inside of your .env file**
SECRET_KEY=qolwvjicds5p53gvod1pyrz*%2uykjw&a^&c4moab!w=&16ou7 # <- Example key, SECRET_KEY=yoursecretkey

5) Inside of your settings.py file, add the following settings:

import os
import dotenv # <- New

# Add .env variables anywhere before SECRET_KEY
dotenv_file = os.path.join(BASE_DIR, ".env")
if os.path.isfile(dotenv_file):
    dotenv.load_dotenv(dotenv_file)

# UPDATE secret key
SECRET_KEY = os.environ['SECRET_KEY'] # Instead of your actual secret key

or, thanks to @Ashkay Chandran's answer:

from dotenv import load_dotenv, find_dotenv

load_dotenv(find_dotenv())

SECRET_KEY = os.environ['SECRET_KEY']

And now your secret key is successfully stored locally.

Update: I found out you can also use the config method from the package python-decouple that seems to be a bit easier:

from decouple import config

SECRET_KEY = config('SECRET_KEY')

Now you don't need to import os or use dotenv because it takes care of those parts for you AND will still use the .env file. I started using this in all of my projects.

6) Add the SECRET_KEY environment variable on your host (such as Heroku).


I work mostly with Heroku sites, so if you're wanting to use Heroku for a Django project, this part is for you.

This assumes that you already have a Heroku project setup and have Heroku CLI downloaded on your computer.

You have 2 options:

  1. From Command Line / Terminal, you can enter the following command in your project's directory:
heroku config:set SECRET_KEY=yoursecretkey # Again, no quotes.
  1. You can go to your Heroku dashboard, click on your app, go to your apps settings, and see the "Config Vars" section and click "Reveal Vars" or "Add Vars" and add your SECRET_KEY there.

Then, when you push your project to Heroku through git, it should be working properly without any issue.

and that's it! 🙂

This answer was targeted towards total beginners / intermediates to hopefully cut through any confusion (because it was definitely confusing for me).

Hope this helps!

Happy coding.


See the Django deployment docs for a discussion on this.

There's quite a few options for production. The way I do it is by setting my sensitive data variables as environmental variables on the production environments. Then I retrieve the variables in the settings.py via os.environ like so:

import os
SECRET_KEY = os.environ['SECRET_KEY']

Another possible option is to copy in the secret.py file via your deploy script.

I'm sure there are also other specific options for different web servers.


You should store your settings in a modular way. By that I mean to spread your settings across multiple files.

For example, you can have base_settings.py to store all your base settings; dev_settings.py for your development server settings; and finally prod_base_settings.py for all production settings. All non-base settings files will import all the base settings and then only change whatever is necessary:

# base_settings.py
...

# dev_settings.py
from base_settings import *
DEBUG = TRUE
...

# prod_base_settings.py
from base_settings import *
DEBUG = FALSE
...

This approach allows you to have different settings from different setups. You can also commit all these files except then on the production server you can create the actual production settings file prod_settings.py where you will specify all the sensitive settings. This file should not be committed anywhere and its content kept secure:

# prod_settings.py
from prod_base_settings import *
SECRET_KEY = 'foo'

As for the file names you can use whatever filenames you feel are appropriate. Personally I actually create a Python package for the settings and then keep the various settings inside the package:

project/
  project/
    settings/
      __init__.py
      base.py
      dev.py
      ...
  app1/
    models.py
    ...
  app2/
    models.py
    ...