Re: Django Sending Mail

Thu, 29 Oct 2020 10:13:11 -0700 

Hi Samiddha,

On 29/10/2020 17.08, Samiddha সমিদ্ধ wrote:
I want to include an email service in my project. But for that I need to provide my email password to django setings.py in EMAIL_HOST_PASSWORD <https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-EMAIL_HOST_PASSWORD>. I want to know that secure to provide email password. When I deploy the project with a host, then is there are any risk of theft my password; how do I encrypt my password in django setings.py? 




You can't really avoid making some secrets available on your production 
system. I personally use django-configurations:


https://django-configurations.readthedocs.io/en/stable/


and set my secrets as environment variables in my systemd service file 
for gunicorn. That is mostly for convenience. You definitely shouldn't 
store your secrets in the settings.py file you keep in revision control, 
but using environment variables doesn't make them any less accessible to 
your hosting provider.



I don't think there's any way to avoid having to trust your hosting 
provider, but you can try to ensure the secrets are only known to you 
and your hosting provider.



If you don't want to use django-configurations, a more "traditional" 
approach is described here:


https://djangostars.com/blog/configuring-django-settings-best-practices/


It doesn't make much sense to encrypt your password, since you still 
need to provide the secret to decrypt it when it needs to be used and 
then you're back to square one. You might be able to store a private key 
in some secure storage from your hosting provider that ensures the 
private key can never be retrieved and only used for decrypting your 
password, but I don't really think it's worth the effort, especially 
considering you still have to trust your hosting provider.


Hope that makes some sense.

Kind regards,

Kasper Laudrup

--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/2765334e-5f4c-72e4-f40c-ad3b8eda4062%40stacktrace.dk.






















					Reply via email to