Get AI summaries of any video or article — Sign up free
Python Quick Tip: Hiding Passwords and Secret Keys in Environment Variables (Mac & Linux) thumbnail

Python Quick Tip: Hiding Passwords and Secret Keys in Environment Variables (Mac & Linux)

Corey Schafer·
4 min read

Based on Corey Schafer's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Move database passwords and API keys out of Python source code to reduce the risk of leaking secrets through shared repositories.

Briefing

Hard-coding passwords and API keys directly in Python scripts is a common beginner mistake—especially when code is shared with a team or pushed to a public repository. A safer pattern is to move secrets into environment variables so the code can be shared without exposing credentials. On Mac and Linux, those environment variables can be set locally while keeping the Python source free of sensitive strings.

The walkthrough starts with a script containing fake credentials: a database username and password are embedded as plain text. The fix is to define two environment variables—one for the database user and one for the database password—using shell configuration. On Mac and Linux, the tutorial uses the user’s dot Bash underscore profile file. After opening a terminal and navigating to the home directory, it edits dot Bash underscore profile with an editor like Nano. At the top of that file, it adds export statements in the form export DB_USER="..." and export DB_PASS="..." (with no spaces around the equals sign). These variables are then saved and the shell configuration is applied.

To confirm the change, the script is updated to read the values from the environment rather than from hard-coded literals. The Python code imports the OS module and retrieves environment variables via os.environ. Values are accessed by key name—specifically the DB_USER and DB_PASS variables—so the script can still connect to the database or call an API using the same credentials, but without storing them in the source code. After saving the script, running it shows the credentials coming from the environment variables.

The practical payoff is straightforward: sharing the Python code no longer automatically shares secrets. Anyone with access to the repository gets the logic, while the sensitive values remain on the local machine (or wherever the environment variables are configured). The approach also sets up a cleaner workflow for teams, since each developer can supply their own environment-specific credentials without editing the codebase.

Overall, the method is a quick but meaningful security improvement: keep secrets out of version-controlled files, store them in environment variables, and load them at runtime using Python’s OS environment access.

Cornell Notes

The transcript shows how to stop hard-coding database credentials (or API keys) in Python source code by using environment variables. On Mac and Linux, it sets variables by editing dot Bash underscore profile with export statements like export DB_USER="..." and export DB_PASS="...". In Python, it imports the OS module and reads values from os.environ using the variable names as keys. This lets the same code run with different credentials on different machines while keeping secrets out of repositories. The result is safer sharing with teams and less risk of leaking credentials through source control.

Why is hard-coding secrets in a Python script risky when working with teams or repositories?

Hard-coded credentials (database usernames/passwords, API keys, etc.) become part of the source file. If that code is shared with teammates or pushed to a repository, anyone who can view the code can also see the secrets. Environment variables avoid this by keeping the sensitive values on the local machine (or configured environment) while the code itself contains only the logic to read them.

How are environment variables set on Mac and Linux in this workflow?

The transcript uses the user’s dot Bash underscore profile file. After opening a terminal and going to the home directory, it edits dot Bash underscore profile (for example with Nano) and adds export lines at the top, such as export DB_USER="<username>" and export DB_PASS="<password>". The variables are saved, and the shell/editor is restarted so the updated configuration is picked up.

What Python mechanism retrieves environment variables at runtime?

Python uses the OS module. The script imports OS and reads environment variables from os.environ, which behaves like a dictionary. It accesses values by key name, such as os.environ['DB_USER'] and os.environ['DB_PASS'], instead of using hard-coded strings.

What changes in the script after moving credentials to environment variables?

The script replaces embedded credential literals with lookups from os.environ. After importing OS, it fetches the database username and password using the environment variable names (DB_USER and DB_PASS). Running the script then uses the locally configured secrets without exposing them in the code file.

What practical benefit does this approach provide for sharing code?

The code can be shared or committed to version control without including passwords or secret keys. Each developer can set their own environment variables locally, allowing the same codebase to work across machines while reducing the chance of credential leaks.

Review Questions

  1. What specific problem does environment-variable storage solve compared with hard-coding secrets in Python source code?
  2. Which file is modified on Mac/Linux in the transcript to define DB_USER and DB_PASS, and what syntax is used?
  3. In Python, how does the script access DB_USER and DB_PASS once they are set in the environment?

Key Points

  1. 1

    Move database passwords and API keys out of Python source code to reduce the risk of leaking secrets through shared repositories.

  2. 2

    On Mac and Linux, define environment variables by editing dot Bash underscore profile and adding export statements like export DB_USER="..." and export DB_PASS="...".

  3. 3

    Avoid spaces around the equals sign in export assignments (e.g., export DB_USER="value").

  4. 4

    In Python, import the OS module and read secrets from os.environ using the environment variable names as keys.

  5. 5

    Update the script to use os.environ lookups instead of hard-coded credential strings.

  6. 6

    Restart the relevant shell/editor session so the updated environment variable definitions are available to the running script.

Highlights

Hard-coded credentials in a repository expose secrets to anyone who can view the code; environment variables keep secrets local while sharing the logic.
On Mac/Linux, the transcript uses dot Bash underscore profile with export DB_USER and export DB_PASS to store secrets safely.
Python retrieves those values at runtime via os.environ, treating environment variables like a dictionary keyed by name.

Topics

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library