Understanding environment variable with Flask secret key-creation process

Question

I'm following along with a Flask tutorial on a Mac using Python 2.7 that walks you through building a simple blog with a user login and password functionality.

The login system is based on the Flask-Login module.

The initial step is to set up a secret key in the config.py file in the app's directory that looks like this:

import os
class DevelopmentConfig(object):
    SQLALCHEMY_DATABASE_URI = "postgresql://ubuntu:thinkful@localhost:5432/blogful"
    DEBUG = True
    SECRET_KEY = os.environ.get("BLOGFUL_SECRET_KEY", "")

I understand that SECRET_KEY is being used to cryptographically secure the application because it's not a good idea to store the application's secret key inside the application configuration itself, correct? Therefore, we're using os.environ.get to obtain the secret key from an environment variable.

To make this happen, the tutorial says it's necessary to export the environment variable at the command line via:

export BLOGFUL_SECRET_KEY="your_secret_key_here"

This sets an environment variables called BLOGFUL_SECRET_KEY — but how exactly is the secret key created using this environment variable?

Answer 1

To directly answer your two questions:

1. The secret keys are stored external to the source code so that they are not commit to revision control.
2. The secret key isn't created by exporting the environment variable, nor is it created using the value in the environment variable.

The information you probably are really after:

First, keep in mind that I am not a cryptology expert! With that out of the way…

What you need to do is to generate some secret of appropriate size and cryptographic security for your application, then set the environment variable to be that value.

I'm making a guess that the secret key is being used in relation with the flask.ext.login.make_secure_token method of the Flask-Login module you linked to. If this is the case, looking at the source code, the key is being used with HMAC for a SHA-512. Ideally, the key should be the same as the blocksize used by the algorithm which, in this case, as indicated by the source for the Python 2.7 hmac implementation is 64 for 512-bit HMAC. If the key is smaller than the blocksize, it will be padded with zeros; if larger, it will hashed down to the blocksize.

The Flask quickstart documentation section for sessions provides an example backed up by Python's os.urandom documentation for generating crytographically suitable random bytes to use for the secret key. I would alter their example as we want a key for a blocksize of 64, rather than 24, to be:

import os
os.urandom(64)

Take the result of that and set the environment variable to the value. Using the Flask example directly (don't use these values for your code):

>>> import os
>>> os.urandom(24)
'\xfd{H\xe5<\x95\xf9\xe3\x96.5\xd1\x01O<!\xd5\xa2\xa0\x9fR"\xa1\xa8'

You would take the output, and set the environment variable to that value:

export BLOGFUL_SECRET_KEY='\xfd{H\xe5<\x95\xf9\xe3\x96.5\xd1\x01O<!\xd5\xa2\xa0\x9fR"\xa1\xa8'