Add encryption settings

2025-03-21 15:56:55 +01:00 · 2025-03-21 15:56:55 +01:00 · 00703807d6
commit 00703807d6
parent 5ba2b235cd
2 changed files with 9 additions and 1 deletions
--- a/.env.example
+++ b/.env.example
@ -4,10 +4,14 @@
 # When the environment is "development", DEBUG is set to True.
 SERVALA_ENVIRONMENT='development'

-# Set PREVIOUS_SECRET_KEY when rotating to a new secret key in order to not expire all sessions
+# Set SERVALA_PREVIOUS_SECRET_KEY when rotating to a new secret key in order to not expire all sessions and to remain able to read encrypted fields!
 # SERVALA_PREVIOUS_SECRET_KEY=''
 SERVALA_SECRET_KEY='django-insecure-8sl^1&1f-$3%w7cf)q(rcvi4jo(#s3ug-@be0ooc2ioep*&%7@'

+# Set SERVALA_PREVIOUS_SALT_KEY when rotating to a new salt in order to remain able to read encrypted fields!
+# SERVALA_PREVIOUS_SALT_KEY=''
+SERVALA_SALT_KEY='eed6UaCi3euZojai5Iequ8ochookun1o'
+
 # Set the allowed hosts as comma-separated list.
 # Use a leading dot to match a domain and all subdomains.
 # Leave or unset in the development environment in order to accept localhost names.
--- a/src/servala/settings.py
+++ b/src/servala/settings.py
@ -21,6 +21,10 @@ SECRET_KEY = os.environ.get("SERVALA_SECRET_KEY")
 if previous_secret_key := os.environ.get("SERVALA_PREVIOUS_SECRET_KEY"):
    SECRET_KEY_FALLBACKS = [previous_secret_key]

+SALT_KEY = os.environ.get("SERVALA_SALT_KEY")
+if previous_salt := os.environ.get("SERVALA_PREVIOUS_SALT_KEY"):
+    SALT_KEY = [SALT_KEY, previous_salt]
+
 BASE_DIR = Path(__file__).resolve().parent.parent

 ALLOWED_HOSTS = []