Automatic SECURE_KEY generation

Registered by Sascha Peilicke

The SECURE_KEY of every Django installation should be set to a unique value upon deployment. Currently, it is the system administrators responsibility to change this to a secure (i.e. unique) value. He has several ways to achieve this:

- Do it manually (current state)
- Use a (Linux) distribution-specific package that generates a key in a post-installation step
- Deploy via crowbar with a modified dashboard barclamp that generates the key

The first option is tedious and error-prone (and easily forgotten). The second option fails if the package is part of a pre-generated appliance (thus installed only once but deployed multiple times) and the latter is beyond our control. Instead, we should allow dashboard instances to generate the secret key automatically once upon first start. However, this can be rather tricky, as the typical Apache+mod_wsgi+daemonized deployment involves several Python interpreters accessing the code, so there's some kind of locking needed. Here's a possible implementation:

It has the advantage that SECRET_KEY doesn't have to be part of anymore and thus is one thing less one needs to care for. It has an additional dependency on the 'lockfile' Python module, but I don't see this as an issue, as it is also pulled in by nova (as a transitive dependency of python-daemon).

Blueprint information

Gabriel Hurley
Gabriel Hurley
Sascha Peilicke
Series goal:
Accepted for folsom
Milestone target:
milestone icon 2012.2
Started by
Gabriel Hurley
Completed by
Gabriel Hurley

Related branches



After discussing this with both the Horizon core team and Django's security czar/core committer Paul McMillan, we've decided the best way to proceed with this is as follows:

  * Remove the default SECRET_KEY so it cannot be shared causing security problems.
  * For development, add a few lines to auto-generate a SECRET_KEY if one isn't present.
  * For production, document that a SECRET_KEY is required, how to generate one, etc.
  * Work with the distros to make sure they properly generate a unique SECRET_KEY for each install.

Just for reference: http://<email address hidden>/msg13232.html

Gerrit topic:,topic:bp/automatic-secure-key-generation,n,z

Addressed by:
    Provide utilities to automate secure secret key generation


Work Items

This blueprint contains Public information 
Everyone can see this information.


No subscribers.