Do not commit secrets
Pystrano should not encourage committing production secrets. Keep real dotenv files, service-specific credentials, private keys, and Django secret material out of Git unless they are encrypted and your team has accepted that workflow.
Environment files
The env_file setting points to a local dotenv file. During deploy, Pystrano copies that file into the remote shared directory and loads its values when running Django management commands such as migrations and static collection.
Shared secret files
The optional secrets setting accepts semicolon-separated local files. During setup, Pystrano copies them into the remote shared directory. During deploy, Pystrano links those files into each release.
This is useful for files that your app expects on disk, but it is not a complete secret-management system.
Secret management is separate
Decide how secrets are generated, stored, reviewed, rotated, and revoked outside Pystrano. Depending on your environment, that may mean a password manager, cloud secret manager, encrypted repository files, manual server provisioning, or another audited process.