I use python and SQL-server to manage a database, but I do not know "good practices" about database management and know few about security information.
Is it secure to save Database credentials in Windows as a environment variable and use it into scripts with os.environ? Like this:
import os
DB_HOST = os.environ['DBHOST']
DB_USER = os.environ['DBUSER']
...
How is the proper way to store credentials to automate uses of databases?
If you are asking if you should permanently set environment variables for your laptop - I’d avoid that because any process could list all environment variables on the PC and the associated stored values quite easily.
Instead - I’d recommend checking out Keyring. This will use the Windows Credential Locker (or other OS specific keyring services).
Usually secure credentials are stored in a .env file that relates to your current environment and then are grabbed from within your code. E.g DB_HOST = env('DBHOST').
Basically what you're doing right now but stored in a file (as secure as you need it, possibly encrypted) rather than directly as environment variables as they're accessible from the entire machine.
By using Encryptedbypassphrase('key','Your_Password') method in sqlserver, Example,
create table #temp(id int identity(1,1),Password varbinary(max))
insert into #temp(Password) values(encryptbypassphrase('12','Passw0rd'))
select * from #temp
In that code we are provide the original password but it stored in the database table by encrypted value.
Screenshot of my output:
