## Managing Environment Variables Securely in Python Projects This guide provides a step-by-step approach to managing environment variables in Python projects on Ubuntu servers using `dotenv` for handling environment variables and GnuPG (GPG) for file encryption. ### Prerequisites - Python 3 installed on Ubuntu Server - Basic familiarity with terminal commands ### Contents 1. [Setting Up dotenv with .env Files](#1-setting-up-dotenv-with-env-files) 2. [Encrypting and Decrypting .env Files with GPG](#2-encrypting-and-decrypting-env-files-with-gpg) 3. [Automating Decryption in Python Scripts](#3-automating-decryption-in-python-scripts) 4. [Backing Up GPG Keys](#4-backing-up-gpg-keys) 5. [Basic GPG Commands](#5-basic-gpg-commands) --- ### 1. Setting Up `dotenv` with `.env` Files `dotenv` is a module that loads environment variables from a `.env` file into `os.environ`. This section covers creating a `.env` file and integrating `dotenv` into your Python project. #### Steps: 1. **Create a `.env` File**: ```bash # Navigate to your project directory cd /path/to/your/project # Create a .env file touch .env # Add environment variables echo "API_KEY=yourapikey123" >> .env echo "DB_PASSWORD=hunter2" >> .env ``` 2. **Install `python-dotenv`**: ```bash pip3 install python-dotenv ``` 3. **Modify Your Python Script**: ```python import os from dotenv import load_dotenv load_dotenv() # Loads the .env file api_key = os.getenv('API_KEY') db_password = os.getenv('DB_PASSWORD') # Your script continues here... ``` 4. **Update `.gitignore`**: ```bash echo ".env" >> .gitignore ``` ### 2. Encrypting and Decrypting .env Files with GPG GnuPG (GPG) is used for encrypting files, ensuring sensitive information like environment variables in `.env` files is secure. #### Steps: 1. **Install GnuPG**: ```bash sudo apt-get update sudo apt-get install gnupg ``` 2. **Encrypt the `.env` File**: ```bash gpg --encrypt --recipient your_user_id .env ``` 3. **Decrypt the `.env` File When Needed**: ```bash gpg --output .env --decrypt .env.gpg ``` ### 3. Automating Decryption in Python Scripts Automate the decryption of the `.env` file at the start of your Python script for convenience while maintaining security. #### Example Function: ```python import subprocess import os from dotenv import load_dotenv def decrypt_env_file(): subprocess.run(['gpg', '--quiet', '--batch', '--yes', '--decrypt', '--output', '.env', '.env.gpg']) # Decrypt the .env file decrypt_env_file() # Load environment variables load_dotenv() # Your main script logic # Delete the .env file securely after use os.remove('.env') ``` ### 4. Backing Up GPG Keys Regular backups of GPG keys are essential to avoid losing access to encrypted data. #### Steps: 1. **Export Your Private Key**: ```bash gpg --export-secret-keys your_user_id > myprivatekey.asc ``` 2. **Export Your Public Key**: ```bash gpg --export your_user_id > mypublickey.asc ``` ### 5. Basic GPG Commands Familiarize yourself with basic GPG commands for managing your keys and encrypted files. #### Common Commands: - **List Keys**: `gpg --list-keys`, `gpg --list-secret-keys` - **Import Key**: `gpg --import [file]` - **Export Key**: `gpg --export -a [email/id] > public.key` - **Delete Key**: `gpg --delete-key [email/id]`, `gpg --delete-secret-key [email/id]` - **Encrypt File**: `gpg --encrypt --recipient [email/id] [file]` - **Decrypt File**: `gpg --decrypt [file.gpg]` --- By following this guide, you will be able to securely manage environment variables in your Python projects, leveraging `dotenv` for environment variable management and GnuPG for encryption, ensuring your sensitive data remains protected.