Django Sending Mail
45 views
Skip to first unread message
Samiddha সমিদ্ধ
Oct 29, 2020, 12:26:56 PM10/29/20
to Django users
I want to include an email service in my project. But for that I need to provide my email password to django setings.py in
EMAIL_HOST_PASSWORD. I want to know that secure to provide email password. When I deploy the project with a host, then is there are any risk of theft my password; how do I encrypt my password in django setings.py?
Kasper Laudrup
Oct 29, 2020, 1:14:22 PM10/29/20
to django...@googlegroups.com
Hi Samiddha,
On 29/10/2020 17.08, Samiddha সমিদ্ধ wrote:
> I want to include an email service in my project. But for that I need to
> provide my email password to django setings.py in EMAIL_HOST_PASSWORD
> <https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-EMAIL_HOST_PASSWORD>.
system. I personally use django-configurations:
https://django-configurations.readthedocs.io/en/stable/
and set my secrets as environment variables in my systemd service file
for gunicorn. That is mostly for convenience. You definitely shouldn't
store your secrets in the settings.py file you keep in revision control,
but using environment variables doesn't make them any less accessible to
your hosting provider.
I don't think there's any way to avoid having to trust your hosting
provider, but you can try to ensure the secrets are only known to you
and your hosting provider.
If you don't want to use django-configurations, a more "traditional"
approach is described here:
https://djangostars.com/blog/configuring-django-settings-best-practices/
It doesn't make much sense to encrypt your password, since you still
need to provide the secret to decrypt it when it needs to be used and
then you're back to square one. You might be able to store a private key
in some secure storage from your hosting provider that ensures the
private key can never be retrieved and only used for decrypting your
password, but I don't really think it's worth the effort, especially
considering you still have to trust your hosting provider.
Hope that makes some sense.
Kind regards,
Kasper Laudrup
On 29/10/2020 17.08, Samiddha সমিদ্ধ wrote:
> I want to include an email service in my project. But for that I need to
> provide my email password to django setings.py in EMAIL_HOST_PASSWORD
> I want to know that secure to provide email password. When I deploy the
> project with a host, then is there are any risk of theft my password;
> how do I encrypt my password in django setings.py?
>
You can't really avoid making some secrets available on your production
> project with a host, then is there are any risk of theft my password;
> how do I encrypt my password in django setings.py?
>
system. I personally use django-configurations:
https://django-configurations.readthedocs.io/en/stable/
and set my secrets as environment variables in my systemd service file
for gunicorn. That is mostly for convenience. You definitely shouldn't
store your secrets in the settings.py file you keep in revision control,
but using environment variables doesn't make them any less accessible to
your hosting provider.
I don't think there's any way to avoid having to trust your hosting
provider, but you can try to ensure the secrets are only known to you
and your hosting provider.
If you don't want to use django-configurations, a more "traditional"
approach is described here:
https://djangostars.com/blog/configuring-django-settings-best-practices/
It doesn't make much sense to encrypt your password, since you still
need to provide the secret to decrypt it when it needs to be used and
then you're back to square one. You might be able to store a private key
in some secure storage from your hosting provider that ensures the
private key can never be retrieved and only used for decrypting your
password, but I don't really think it's worth the effort, especially
considering you still have to trust your hosting provider.
Hope that makes some sense.
Kind regards,
Kasper Laudrup
Reply all
Reply to author
Forward
0 new messages