I'm working on a Django project where one of my models has a field that needs to be encrypted. I'm using django-encrypted-fields for the EncryptedCharField for my model.
As part of the setup, I have to create some keys for encryption. Since I'm working on my local machine, but will be deploying on AWS (both using the same remote database), I'm wondering if the fieldkeys directory, which contains the keys, should be included in my .gitignore file, or if all machines should use the same keys.
Thanks.
I'm wondering if the fieldkeys directory, which contains the keys, should be included in my
.gitignorefile,
Ideally no, in that those files should not be in the Git repo folder in the first place (so no need to add them to a .gitignore file).
Having them inside a Git repo is too dangerous. Even ignored, they can still be added with a git add -f
Or if all machines should use the same keys.
No either: the best practice remains to have a dedicated key by environment, which makes a key revocation easy and won't break all the other environments.
You need to have a way to reference your key (stored separately outside of the git repo).
Semi-related: "New AWS Encryption SDK for Python Simplifies Multiple Master Key Encryption".