diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 00000000..c5bd52ff
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,2 @@
+**/blackbox-admins.txt text eol=lf
+**/blackbox-files.txt text eol=lf
diff --git a/.gitignore b/.gitignore
index f3e5727d..836ffecc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,3 +46,8 @@ target/
 # Emacs stuff
 \#*\#
 *~
+/keyrings/live/pubring.gpg~
+/keyrings/live/pubring.kbx~
+/keyrings/live/secring.gpg
+/bbtest.txt
+/hknweb/settings/secrets.py
diff --git a/Makefile b/Makefile
index a0726c1f..e5e44d38 100644
--- a/Makefile
+++ b/Makefile
@@ -5,11 +5,11 @@ PIP_HOME = $(shell python3 -c "import site; import os; print(os.path.join(site.U
 
 .PHONY: dev
 dev:
-	pipenv run python ./manage.py runserver $(DEV_LISTEN_IP):$(DEV_PORT)
+	HKNWEB_MODE='dev' pipenv run python ./manage.py runserver $(DEV_LISTEN_IP):$(DEV_PORT)
 
 .PHONY: dev-vagrant
 dev-vagrant:
-	pipenv run python ./manage.py runserver [::]:$(DEV_PORT)
+	HKNWEB_MODE='dev' pipenv run python ./manage.py runserver [::]:$(DEV_PORT)
 
 .PHONY: livereload
 livereload:
@@ -29,7 +29,7 @@ venv: Pipfile Pipfile.lock
 
 .PHONY: migrate
 migrate:
-	pipenv run python ./manage.py migrate
+	pipenv run python ./manage.py migrate --settings=hknweb.settings.dev
 
 .PHONY: test
 test: venv
diff --git a/bbtest.txt.gpg b/bbtest.txt.gpg
new file mode 100644
index 00000000..bde488f5
Binary files /dev/null and b/bbtest.txt.gpg differ
diff --git a/hknweb/settings/__init__.py b/hknweb/settings/__init__.py
new file mode 100644
index 00000000..789ce58d
--- /dev/null
+++ b/hknweb/settings/__init__.py
@@ -0,0 +1,15 @@
+import os
+import sys
+
+try:
+    HKNWEB_MODE = os.environ['HKNWEB_MODE'].lower()
+    if HKNWEB_MODE == 'dev':
+        from .dev import *
+    elif HKNWEB_MODE == 'prod':
+        from .prod import *
+    else:
+        print("HKNWEB_MODE is not a valid value")
+        sys.exit()
+except KeyError:
+    print("SETTINGS says: HKNWEB_MODE not supplied, so no data will be loaded into settings. You can still load of the subpackages manually.")
+
diff --git a/hknweb/settings.py b/hknweb/settings/common.py
similarity index 91%
rename from hknweb/settings.py
rename to hknweb/settings/common.py
index dce868ee..2807c1aa 100644
--- a/hknweb/settings.py
+++ b/hknweb/settings/common.py
@@ -12,21 +12,11 @@
 import os
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
-BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/2.0/howto/deployment/checklist/
-
-# SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'v9lj^szduvr@a*31&r(l5ub+5q%ebszts70vlpzaiekt23s)gb'
-
-# SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
-
-ALLOWED_HOSTS = []
-
-
 # Application definition
 
 INSTALLED_APPS = [
diff --git a/hknweb/settings/dev.py b/hknweb/settings/dev.py
new file mode 100644
index 00000000..92ac7fc1
--- /dev/null
+++ b/hknweb/settings/dev.py
@@ -0,0 +1,15 @@
+from .common import *
+
+#In dev mode, attempt to use real secrets, but if unavailiable, fall back to dummy secrets
+try:
+    from .secrets import *
+except ImportError:
+    from .dummy_secrets import *
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = True
+
+ALLOWED_HOSTS = ['localhost','127.0.0.1','hkn.eecs.berkely.edu','hkn.mu']
+
+
+
diff --git a/hknweb/settings/dummy_secrets.py b/hknweb/settings/dummy_secrets.py
new file mode 100644
index 00000000..5332c094
--- /dev/null
+++ b/hknweb/settings/dummy_secrets.py
@@ -0,0 +1,4 @@
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = 'v9lj^szduvr@a*31&r(l5ub+5q%ebszts70vlpzaiekt23s)gb'
+
+
diff --git a/hknweb/settings/prod.py b/hknweb/settings/prod.py
new file mode 100644
index 00000000..d4a0aad5
--- /dev/null
+++ b/hknweb/settings/prod.py
@@ -0,0 +1,17 @@
+from .common import *
+
+
+#In prod mode, rigidly enforce using real secrets and fail if unavailiable
+from .secrets import *
+
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = 'v9lj^szduvr@a*31&r(l5ub+5q%ebszts70vlpzaiekt23s)gb'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = False
+
+ALLOWED_HOSTS = ['hkn.eecs.berkeley.edu','hkn.mu']
+
+
+
diff --git a/hknweb/settings/secrets.py.gpg b/hknweb/settings/secrets.py.gpg
new file mode 100644
index 00000000..fc64b60f
Binary files /dev/null and b/hknweb/settings/secrets.py.gpg differ
diff --git a/keyrings/live/blackbox-admins.txt b/keyrings/live/blackbox-admins.txt
new file mode 100644
index 00000000..9b56f168
--- /dev/null
+++ b/keyrings/live/blackbox-admins.txt
@@ -0,0 +1,4 @@
+1F3CAA5F32F6483D
+hutch@hkn.eecs.berkeley.edu
+jameszhu@berkeley.edu
+jvperrin@hkn.eecs.berkeley.edu
diff --git a/keyrings/live/blackbox-files.txt b/keyrings/live/blackbox-files.txt
new file mode 100644
index 00000000..78b9fc23
--- /dev/null
+++ b/keyrings/live/blackbox-files.txt
@@ -0,0 +1,2 @@
+bbtest.txt
+hknweb/settings/secrets.py
diff --git a/keyrings/live/pubring.kbx b/keyrings/live/pubring.kbx
new file mode 100644
index 00000000..7846c3a1
Binary files /dev/null and b/keyrings/live/pubring.kbx differ
diff --git a/keyrings/live/trustdb.gpg b/keyrings/live/trustdb.gpg
new file mode 100644
index 00000000..620ba52b
Binary files /dev/null and b/keyrings/live/trustdb.gpg differ