secrets.backend = mozsvc.secrets.DerivedSecrets
secrets.master_secrets = master-secret-one master-secret-two
A suitable master secret can be generated using mozsvc as follows:
python -m mozsvc.secrets new
Each node should be configured to use the FixedSecrets class and its corresponding derived secret:
secrets.secrets = node-master-secret-one, node-master-secret-two
This prevents a compromise on one service node from leaking the secrets on all nodes. A suitable node-specific secret can be derived from the master secret as follows: python -m mozsvc.secrets derive <master_secret> https://<node_name>