django-root-secret is a Django package for managing one root encryption key per environment and decrypting encrypted literals at runtime.
django-root-secret reduces the number of plaintext secrets you need to manage and tries to minimize the number of environment variables your project depends on. Large .env files are a common source of configuration errors because variables can be missing, misnamed, outdated, or inconsistent across environments. This package keeps the env file minimal by storing only ROOT_ENCRYPTION_KEY there and encrypting the rest.
Install the package:
pip install django-root-secretAdd the app to INSTALLED_APPS:
INSTALLED_APPS = [
...,
"django_root_secret",
]Generate a root key file:
python manage.py generate_root_encryption_key --env developmentThis creates development.env in the current working directory with only:
# This file must only contain ROOT_ENCRYPTION_KEY.
# Encrypt every other secret with this key and keep the file private.
ROOT_ENCRYPTION_KEY=...If development.env is not already ignored by Git, the command also adds it to .gitignore.
Encrypt a plaintext secret using that file and bring up a prompt to paste the secret:
python manage.py encrypt_secret --env development
# Value to encrypt: [hidden input]At runtime, make ROOT_ENCRYPTION_KEY available through your environment or deployment secret manager:
export ROOT_ENCRYPTION_KEY="..."Then use the encrypted output in code:
from django_root_secret import get_secret
DATABASE_PASSWORD = get_secret("gAAAAAB...")This package started as an internal tool at Hipo, and it brings back memories of a team I still appreciate deeply. 🦛