How To Keep A Secret in Python Apps

Episode Deep Dive

Guest Introduction and Background

Glyph Lefkowitz is a long-time and well-known Python contributor. He's deeply involved in the Python community and has been on Talk Python To Me several times before. In this episode, Glyph discusses his focus on Python security practices for managing secrets (like API keys and database passwords). He also talks briefly about his open-source work, such as the ADHD-focused productivity app called Pomodorobros, which he’s developing entirely in Python, along with his new tools for securing secrets locally.

What to Know If You’re New to Python

If you are just getting started with Python, the conversation in this episode about handling secrets may feel a bit advanced. However, keeping your API keys and passwords secure is critical, no matter your experience level. Here are a couple of baseline pointers to help you make sense of the discussion:

• Don’t hard-code passwords or tokens in your .py files.
• Basic tooling like keyring (a Python library) can help you securely retrieve secrets so you don’t store them directly in code.

Key Points and Takeaways

1. Why You Should Never Store Secrets in Source Code Most APIs, databases, and web services require tokens, credentials, or passwords. Storing these directly in your code or config files creates a huge security risk. Attackers or even unintended users can gain unauthorized access if they locate these secrets.

• Tools & Links:
  • shhgit (archived on GitHub) – Demonstration that secrets are frequently exposed publicly
  • GitHub secret scanning – Automatic detection of leaked credentials on GitHub

2. Password Managers and Memorization Glyph emphasized using a password manager for human-generated secrets and described how forgetting your master password can be as catastrophic as getting hacked (the “availability” part of the CIA triad). He created PinPal to help developers memorize strong master passwords more easily.

• Tools & Links:
  • Bitwarden and 1Password – Popular password managers
  • PinPal (available via PyPI) – Memorization helper

3. Importance of Threat Modeling Threat modeling isn’t just for big corporations. It’s a mindset of systematically thinking through what could go wrong and why. Write down your potential risks and revisit them regularly, rather than reacting to security headlines individually.

• Tools & Links:
  • Threat Modeling – OWASP community documentation

4. Keyring for Managing Python Secrets In Python, the keyring library is the go-to for managing secrets. By calling keyring.set_password() and keyring.get_password(), you can rely on secure storage native to the OS (macOS Keychain, Windows Credential Manager, or Linux Secret Service) rather than storing them in plain files or environment variables.

• Tools & Links:
  • keyring on PyPI

5. Why macOS Keychain Stands Out Glyph noted macOS’s security prompts when an app tries to access secrets. This approach of prompting the user or requiring the user to “unlock” the secret each time can significantly reduce the risk of malware automatically reading your credentials.

• Tools & Links:
  • macOS Keychain (built into macOS)
  • Windows Credential Manager (Windows equivalent)

6. Environment Variables: Proceed with Caution Environment variables are a default solution for many cloud platforms but are easily leaked if a script prints them out or if logs are not carefully sanitized. If possible, keep environment variables to a minimum or store only an intermediate, less-sensitive secret (e.g., a decryption key).

• Tools & Links:
  • AWS Vault – Manages AWS credentials without storing them in plain text
  • Gimme AWS Creds – Another AWS credential helper

7. Continuous Integration and GitHub Actions Secrets in CI/CD environments (like GitHub Actions) should be handled using GitHub’s built-in secrets system (a secure settings storage), never committed to your repository. This system ensures only trusted branches or approved merges can read the secrets.

• Tools & Links:
  • GitHub Actions Secrets

8. CIA Triad: Confidentiality, Integrity, Availability One major takeaway is that you must balance security with practicality. A robust secret storage approach can fail if you forget your master password and lose “availability.” Equally, if you store everything in plain text, you lose confidentiality.

• Tools & Links:
  • CIA Triad reference

9. Don’t Underestimate Local Machine Security The conversation repeatedly highlighted that if your local computer is compromised, everything else you do to secure your cloud environment can be bypassed. Use disk encryption and keep your OS updated as a foundational practice.

• Tools & Links:
  • FileVault (macOS), BitLocker (Windows), and LUKS/dm-crypt (Linux)

10. Creating a Repeatable Security Process A big theme is having standardized security processes. Don’t fix one “secret leak” with an ad-hoc approach. Invest time in a single approach using libraries like keyring, and apply that approach consistently across all your projects for straightforward upgrades and management.

• Tools & Links:
  • Token Ring – Glyph’s experimental YubiKey-based keyring backend

11. Handling Phishing and Credential Autofill Another practical point was always let your password manager autofill credentials. If it doesn’t autofill, treat it as a red flag. Phishing sites often look convincing, but if your password manager doesn’t recognize the domain, you should be suspicious.

• Tools & Links:
  • 1Password autofill docs
  • Bitwarden autofill docs

Interesting Quotes and Stories

• “If we talk about secrets, are they still secrets?” – A moment of levity highlighting the paradox of discussing secret-keeping in a public podcast.
• The “time-loop fable” with Jethro: Each iteration, Jethro’s site fails by a new secret-leak scenario. This cyclical story illustrates the importance of consistent processes rather than patchwork fixes.
• “We can't have nice things because of people.” – The conversation about malicious actors and stolen laptops underscores why we must design security for the real world, not an ideal one.

Key Definitions and Terms

• Keyring: A Python library offering a uniform interface to various secure credential-storing systems.
• PinPal: A memorization utility created by Glyph that helps you practice recalling a difficult or lengthy master password.
• Threat Modeling: A practice in security engineering to think through possible ways an attacker can compromise your systems.
• CIA Triad: The three core pillars of security—Confidentiality, Integrity, and Availability.

Learning Resources

If you’d like to go deeper into security, here are two places to start:

• Secure APIs with FastAPI and the Microsoft Identity Platform: Learn about OAuth2, OIDC, and how to manage tokens and secrets securely for production APIs.
• Up and Running with Git: While it’s not purely a security course, mastering Git (and avoiding secret commits) is essential for not leaking API keys in version control.

Overall Takeaway

Whether you’re new to Python or an experienced veteran, you can’t overlook the importance of secret management. Tools like Keyring, password managers, and standardized processes can go a long way in protecting your credentials from leaks and attacks. As Glyph noted throughout the conversation, investing in these practices helps ensure both security and peace of mind—so you can focus on building great Python applications with fewer worries about exposing those all-important keys and passwords.