Reads key-value pairs from a .env file and can set them as environment variables. It helps in developing applications following the 12-factor principles.
Working in a high security environment it is sometimes concerning to have a .env file sitting on your machine with plaintext credentials needed for development. It is also cumbersome to regularly recreate the .env file per working session if the credentials are particularly sensitive. One possible solution would be to support pgp encryption of the .env file, so a call to load dotenv would look like:
from dotenv import load_dotenv
load_dotenv(encrypted=True)
Right now I'm using some boilerplate code like this:
from os import getenv
from io import StringIO
from gnupg import GPG
from dotenv import load_dotenv
# encrypted with `gpg -o .env.gpg -e --default-recipient-self .env`
with open("test.env.gpg", "rb") as f:
env_vars = GPG().decrypt_file(f)
if not env_vars.ok:
raise Exception(f"Decryption failed: {env_vars.status}")
load_dotenv(stream=StringIO(env_vars.data.decode()))
foo = getenv("FOO")
print(f"FOO: {foo}")
This way the decrypted credentials will only ever exist in memory and since I use a yubikey to store my private keys, there is no way to access that key and retrieve those credentials without the physical key.
Working in a high security environment it is sometimes concerning to have a
.envfile sitting on your machine with plaintext credentials needed for development. It is also cumbersome to regularly recreate the.envfile per working session if the credentials are particularly sensitive. One possible solution would be to support pgp encryption of the .env file, so a call to load dotenv would look like:Right now I'm using some boilerplate code like this:
This way the decrypted credentials will only ever exist in memory and since I use a yubikey to store my private keys, there is no way to access that key and retrieve those credentials without the physical key.