Protecting Sensitive Configuration Files: .gitignore, Environment Variables, Secret Management, and AES Encryption with Python

Introduction

In modern software development, DevOps emphasizes close collaboration between development and operations, and configuration management is a key component. Configuration files often contain sensitive data such as database connection strings, middleware credentials, API keys, and user credentials, which must be protected from accidental exposure in Git repositories.

1. Sensitive Information in Configuration Files

Database connection strings

Third‑party middleware access credentials

API keys

Other sensitive user credentials

Leakage of this information can lead to data breaches and service disruptions.

2. Prevent Uploading Sensitive Information to Git Repositories

Use .gitignore File

Create or edit a .gitignore file at the project root and add paths to configuration files, for example:

# Ignore configuration files
config/*.env
config/*.json

Environment Variables

Store sensitive data in environment variables instead of configuration files, using tools like dotenv to load them at runtime.

Secret Management Tools

Adopt dedicated secret management solutions such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to store and retrieve secrets securely.

3. Encrypt Configuration File Content

Encrypting configuration files with symmetric algorithms such as AES ensures that even if the files are stolen, their contents remain unreadable. Decrypt the data at application startup.

Encryption Process

Encrypt the configuration content using AES.

Store the encrypted content back into the configuration file.

At application startup, read the encrypted file and decrypt it.

4. AES Encryption/Decryption Script in Python3

The following script demonstrates AES encryption and decryption using the pycryptodome library.

Install Dependency

pip install pycryptodome

AES Encryption Script

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import os
import base64

# Generate a random 16‑byte key
def generate_key():
    return os.urandom(16)

# Encryption function
def encrypt(plain_text, key):
    cipher = AES.new(key, AES.MODE_CBC)
    ct_bytes = cipher.encrypt(pad(plain_text.encode(), AES.block_size))
    iv = base64.b64encode(cipher.iv).decode('utf-8')
    ct = base64.b64encode(ct_bytes).decode('utf-8')
    return iv, ct

# Decryption function
def decrypt(iv, ct, key):
    iv = base64.b64decode(iv)
    ct = base64.b64decode(ct)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    pt = unpad(cipher.decrypt(ct), AES.block_size).decode('utf-8')
    return pt

# Example usage
if __name__ == "__main__":
    secret_key = generate_key()
    config_data = "database_url=postgresql://user:password@localhost/dbname"

    iv, ct = encrypt(config_data, secret_key)
    print(f"Encrypted: IV={iv}, CT={ct}")

    decrypted_text = decrypt(iv, ct, secret_key)
    print(f"Decrypted: {decrypted_text}")

Usage Instructions

Run the script to generate a random key and encrypt configuration data.

The printed IV and ciphertext can be stored in a configuration file.

Use the same key to decrypt and recover the original data.

5. Separate Configuration Files from Application Code

Separating configuration from code improves maintainability and security. In a CI/CD pipeline, update encrypted configuration files through the following steps:

Update Process

Decrypt the existing configuration file using the AES script.

Modify the decrypted content (e.g., update database credentials or API keys).

Re‑encrypt the modified content.

Push the encrypted file to the Git repository, ensuring raw secrets are never exposed.

CI/CD Integration

Integrate these steps into automated pipelines, retrieving encryption keys from environment variables or secret management tools to securely update configurations.

Conclusion

Proper management of sensitive configuration data is essential in DevOps. Using .gitignore , environment variables, secret management tools, and AES encryption reduces the risk of leaks. The provided Python script offers a foundation for encrypting configuration files, which can be extended to meet specific requirements.