I apologize if this is a duplicate question but I can't find an answer online. In Django Checklist Docs I see the following to keep secret key secure.

with open('/etc/secret_key.txt') as f:
    SECRET_KEY = f.read().strip()

My project is deployed with AWS EBS.

I've created a separate file called "secret_key.txt" which holds the key. How is this more secure than keeping the key in the settings.py config file? If someone can access my projects settings.py file to access the key, would they not be able to access the "secret_key.txt" file as well? How is creating a "secret_key.txt" file more secure?

I've checked Google and Stack Overflow for reasoning but can't find an answer. Currently all sensitive information is protected using an .env file and including this file in .gitignore.

CodePudding user response：

You usually add that file to the .gitignore, such that the file is not part of the (GitHub) repository. This means that you can add (other) settings in the project, and you load "sensitive" settings through environment variables, or files.

This hackernoon post for example, discusses four ways to define sensitive variables such that these are not defined in files that you add to the subversioning system.

Usually it is advisable to incude a settings.py in the project however, stripped from sensitive data. That way a peer can easily set up the project all the other (required) settings, and thus only has to define a limited number of sensitive variable to get the project running.

I think however using an environment variable might be better, since it is probably easier to specify this, and thus to manage a number of processes that all might work with different values.