-1

I thought using dotenv I could hide the strings on cythonized binary file.

All the dotenv python samples I see are telling me to place the .env file on the source(application) path. Seems they are talking about their python application is running on a server. Or its submitted on github.

But I run my python application on a Raspberry Pi (SD Card) If I place the .env file on the application path then it will be worse than hardcoding the variables on the source code.

Also I could not make venv on Raspberry Pi because PyCharm Remote development doesn't support venv on remote Raspberry Pi. So I do my development without venv (Direct global)

  1. How can I secure my variables with Secret API Keys, URLs, Passwords ?
  2. Can I still use .env file and dotenv and some how hide it on the SD card ?
  3. Is there any other solution for my workflow ?

By the way, I plan to use Cython to convert my python code as native executables.

SYSTEM:

Target System: Raspberry Pi 4 Buster 32bit OS (Linux)

Language used: Python3.7

IDE: PyCharm

Remote development: From Windows 10

gaamaa
  • 39
  • 7

2 Answers2

0

Seems they are talking about their python application is running on a server

That's right. Not sure how else you'd plan on reading that file.

Or its submitted on github.

No. You should add .env to the .gitignore and not store on Github.

place the .env file on the application path then it will be worse than hardcoding the variables on the source code.

No, it wouldn't.


The point of the .env files is not security... For example, if you've not changed the default SSH password on your Pi, then no file or environment variable is safe.

The purpose of the .env file is simply to externalize your secrets, so you wouldn't commit them into source control. Has nothing to do with the OS itself.

If you truly want secure config files / variables, this is where you'd use solutions like SOPS or Hashicorp Vault. However, as mentioned, if anyone has access to the server where you're running those tools, security of your code isn't your only problem

could not make venv on Raspberry Pi because PyCharm Remote development doesn't support venv

That's a completely separate issue, since you're not required to use venv with dotenv module.

You also don't need github. You can do remote development and file transfers over SSH/SFTP

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
  • Its setting the variable values on memory and dotenv reads that from environment memory at set. But my question is it needs the .env file. Which is also exposed to the users/crackers when we hand over the SD Card (OS) along with the raspberry Pi. No need for SSH passphrase, Pull the SD card and load on other Linux system and read .env file. No one is considering this on their dotenv examples. Can you please make sure this .env technic will not help me to protect my KEYS on this situation ? So that I will search some other solutions. – gaamaa May 07 '23 at 17:31
  • >SOPS or Hashicorp Vault To access SOPS or Hashicorp we need one API_KEY right ? Where to store that safely ? If there is a way, then I can store all my secrets there itself right ? – gaamaa May 07 '23 at 17:35
  • As mentioned, filesystem access has nothing to do with dotenv file, or Python, or the hardware/OS itself. That's a people problem. Why would you be handing your SD card to anyone? If you're trying to write software that you're distributing with a private key, then host it on a server that you control, not give it to anyone else – OneCricketeer May 07 '23 at 18:48
  • Just imagine you have your linux box and you buy a software from me. I send you my python executable as a software. Which runs on your box. My soft using API KEYS and access cloud server and do gives you the result. Now how will I hide my API KEYS ? I sell raspberry pi + my software to those who doesn't have any linux system. Mine is the video streaming software, can not run on my server. It should run on clients system. – gaamaa May 07 '23 at 19:16
  • Plenty of software has API keys. Everyone using AWS services has API keys on their systems. You should sell the keys as **encrypted, individual licenses, per client**, not distribute one key to everyone for the backend software that your own software needs. It's then those people's responsibility to secure their own hardware and not abuse your services. Beyond that, you can encrypt the SD card, but anyone who cares enough to get access to your hardware can still use tools to try and decrypt it... Like I said - people problem, not OS/Python/env file related at all – OneCricketeer May 08 '23 at 14:39
  • First of all I don't use any API KEYs in my software. If I say API KEY example, then only you can understand as I am talking about security. Where as my software is different, where I have to hide lot of secrets eg: streaming Base URL, Streaming KEY, ZIP Passwords, etc. The bottom line is how to hide secret settings on python executables. – gaamaa May 08 '23 at 18:10
  • See [this answer](https://stackoverflow.com/a/261727/2308683) and all others on that post – OneCricketeer May 09 '23 at 15:07
  • Also, you explicitly wrote "Now how will I hide my API KEYS"? Now you say you don't have any? I am so confused. I suggest you start with a read of https://wiki.python.org/moin/Asking%20for%20Help/How%20do%20you%20protect%20Python%20source%20code%3F – OneCricketeer May 09 '23 at 15:13
  • + Your "clients" should not "need Linux". Netflix, for example of a video streaming service, uses an HTML5 browser. All they need is a web client. This works on all devices with internet connection (but **not** a Raspberry Pi, due to DRM, I believe). They offer their services through a cloud server which requires you to login to an account.. Reverse engineering Netflix code on the client side will just show a bunch of API calls to their services and no access keys/tokens/credentials for their backend video storage... Same could be said for the YouTube app – OneCricketeer May 09 '23 at 15:17
  • Thanks again OneCricketeer, I use omxplayer, ffmpeg on Raspberry Pi and output the video on HDMI port. So the decoding must be done on the local client (Raspberry Pi). I have finished my project sucessfully last month in python. I use Cython to build the *.py files as binary But when use "strings binaryName" I see all my secret strings which is really bad. All the variable constants values are exposed. For this only I search solution. I know I confuse you... as I am too. Really sorry for that. Let me try... – gaamaa May 09 '23 at 21:14
  • I suggest you create a new post since your question has changed very far from just how to handle a dotenv file. As answered, you would limit physical access to the disk via physical locks (get an enclosure that would break the motherboard if trying to tear apart) or software ones (encryption) – OneCricketeer May 09 '23 at 23:58
  • Ok, I will close this asn thank you a so much. – gaamaa May 10 '23 at 08:27
0

As mentioned in the other answers, .env files are commonly used so that it wouldn't be commit into source control like GitHub. I personally sometimes use variables saved into .env files so that I could change those secrets or values in one place and it can be changed all over the place.

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
  • Zameel Hassan: You are still taking about github submission only. I talk about standalone python application released on a Raspberry Pi box with SD card. If any one fiddle that SD Card and try reading my variables, still I need to secure that. – gaamaa May 07 '23 at 17:39