The normal in these cases is that the secret configuration is a token - which will be used as a symmetric password for the DB - that will be available in a file or in an environment variable on the server.
Of course, this token should never be part of a versioned file - at least not along with the source code.
If you look at all existing deploy automation systems - Chef, Salt, Puppet and even Docker - they all have a way of passing you via command line configurations that will be available on deployed systems but are not part of the repository - this information can be environment variables, or something else.
In your case, it looks like a small deploy, which will not be automated - the best thing to do is log into the server and generate the token manually in a file that will not be versioned - create a small script for it. Anyone who has access to your server will have access to this token - normal Unix file permissions can give some more protection if the server is shared - but practices are in favor of using VPS and assume that anyone who has access to the server can see these tokens (and you isolate the server with login only by restricted IP's, private key, etc.).
Above is what is cool to know and does not depend on the system being in Python or not. Now something specific about Python: a package I like to use that gives good flexibility to such configurations, allowing ease in the development and security environments in the deployed environment is the prettyconf (The author is Osvaldo Santana who was once president of the Pythonbrasil association). It is a simple package, but it allows your system at run time to try to retrieve a value from an environment variable - and if it is not available,
takes by default a configuration file)
