Simple encryption-at-rest with key rotation support for Python.

Overview

keyring

Simple encryption-at-rest with key rotation support for Python.

keyring: Simple encryption-at-rest with key rotation support for Python.

N.B.: keyring is not for encrypting passwords--for that, you should use something like bcrypt. It's meant for encrypting sensitive data you will need to access in plain text (e.g. storing OAuth token from users). Passwords do not fall in that category.

This package is completely independent from any storage mechanisms; the goal is providing a few functions that could be easily integrated with any ORM.

Installation

Add package to your requirements.txt or:

pip install keyring

Usage

Encryption

By default, AES-128-CBC is the algorithm used for encryption. This algorithm uses 16 bytes keys, but you're required to use a key that's double the size because half of that keys will be used to generate the HMAC. The first 16 bytes will be used as the encryption key, and the last 16 bytes will be used to generate the HMAC.

Using random data base64-encoded is the recommended way. You can easily generate keys by using the following command:

$ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64 -A
qUjOJFgZsZbTICsN0TMkKqUvSgObYxnkHDsazTqE5tM=

Include the result of this command in the value section of the key description in the keyring. Half this key is used for encryption, and half for the HMAC.

Key size

The key size depends on the algorithm being used. The key size should be double the size as half of it is used for HMAC computation.

  • aes-128-cbc: 16 bytes (encryption) + 16 bytes (HMAC).
  • aes-192-cbc: 24 bytes (encryption) + 24 bytes (HMAC).
  • aes-256-cbc: 32 bytes (encryption) + 32 bytes (HMAC).

About the encrypted message

Initialization vectors (IV) should be unpredictable and unique; ideally, they will be cryptographically random. They do not have to be secret: IVs are typically just added to ciphertext messages unencrypted. It may sound contradictory that something has to be unpredictable and unique, but does not have to be secret; it is important to remember that an attacker must not be able to predict ahead of time what a given IV will be.

With that in mind, keyring uses base64(hmac(unencrypted iv + encrypted message) + unencrypted iv + encrypted message) as the final message. If you're planning to migrate from other encryption mechanisms or read encrypted values from the database without using keyring, make sure you account for this. The HMAC is 32-bytes long and the IV is 16-bytes long.

Keyring

Keys are managed through a keyring--a short python Dictionary describing your encryption keys. The keyring must be a Dictionary object mapping numeric ids of the keys to the key values. A keyring must have at least one key. For example:

{
  "1": "uDiMcWVNTuz//naQ88sOcN+E40CyBRGzGTT7OkoBS6M=",
  "2": "VN8UXRVMNbIh9FWEFVde0q7GUA1SGOie1+FgAKlNYHc="
}

The id is used to track which key encrypted which piece of data; a key with a larger id is assumed to be newer. The value is the actual bytes of the encryption key.

Key Rotation

With keyring you can have multiple encryption keys at once and key rotation is fairly straightforward: if you add a key to the keyring with a higher id than any other key, that key will automatically be used for encryption when objects are either created or updated. Any keys that are no longer in use can be safely removed from the keyring.

It's extremely important that you save the keyring id returned by encrypt(); otherwise, you may not be able to decrypt values (you can always decrypt values if you still possess all encryption keys).

If you're using keyring to encrypt database columns, it's recommended to use a separated keyring for each table you're planning to encrypt: this allows an easier key rotation in case you need (e.g. key leaking).

N.B.: Keys are hardcoded on these examples, but you shouldn't do it on your code base. You can retrieve keyring from environment variables if you're deploying to Heroku and alike, or deploy a JSON file with your configuration management software (e.g. Ansible, Puppet, Chef, etc).

Basic usage of keyring

πŸ”’ Vco48O95YC4jqj44MheY8zFO2NLMPp/KILiUGbKxHvAwLd2/AN+zUG650CJzogttqnF1cGMFb//Idg4+bXoRMQ== #=> πŸ”‘ 1 #=> πŸ”Ž c39ec9729dbacd45cecd5ea9a60b15b50b0cc857 # STEP 2: Decrypted message using encryption key defined by keyring id. decrypted = encryptor.decrypt(encrypted, keyringId) print(f'βœ‰οΈ {decrypted}') #=> βœ‰οΈ super secret">
from keyring import Keyring;

keys = { '1': "uDiMcWVNTuz//naQ88sOcN+E40CyBRGzGTT7OkoBS6M=" }
encryptor = Keyring(keys, { "digest_salt": "salt-n-pepper" })

# STEP 1: Encrypt message using latest encryption key.
encrypted, keyringId, digest = encryptor.encrypt("super secret")
print(f'πŸ”’ {encrypted}')
print(f'πŸ”‘ {keyringId}')
print(f'πŸ”Ž {digest}')
#=> πŸ”’ Vco48O95YC4jqj44MheY8zFO2NLMPp/KILiUGbKxHvAwLd2/AN+zUG650CJzogttqnF1cGMFb//Idg4+bXoRMQ== 
#=> πŸ”‘ 1
#=> πŸ”Ž c39ec9729dbacd45cecd5ea9a60b15b50b0cc857

# STEP 2: Decrypted message using encryption key defined by keyring id.
decrypted = encryptor.decrypt(encrypted, keyringId)
print(f'βœ‰οΈ {decrypted}')
#=> βœ‰οΈ super secret

Change encryption algorithm

You can choose between AES-128-CBC, AES-192-CBC and AES-256-CBC. By default, AES-128-CBC will be used.

To specify the encryption algorithm, set the encryption option. The following example uses AES-256-CBC.

", })">
from keyring import Keyring

keys = { "1": "uDiMcWVNTuz//naQ88sOcN+E40CyBRGzGTT7OkoBS6M=" }
encryptor = Keyring(keys, {
  "encryption": "aes-256-cbc",
  "digest_salt": "
   
    "
   ,
})

Exchange data with Ruby

If you use Ruby, you may be interested in https://github.com/fnando/attr_keyring, which is able to read and write messages using the same format.

Exchange data with Node.js

If you use Node.js, you may be interested in https://github.com/fnando/keyring-node, which is able to read and write messages using the same format.

Development

After checking out the repo, run pip install -r requirements.dev.txt to install dependencies. Then, run pytest to run the tests.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/dannluciano/keyring-python. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Icon

Icon made by Icongeek26 from Flaticon is licensed by Creative Commons BY 3.0.

Code of Conduct

Everyone interacting in the keyring project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

Acknowledgments

Inspired:

Thanks to IFPI for pay my salary!

IFPI

You might also like...
Linear encryption software programmed with python
Linear encryption software programmed with python

Echoder linear encryption software programmed with python How does it work? The text in the text section runs a function with two keys entered keys mu

A python implementation of our standard object-oriented encryption package, shipped with most apps.

Encryption Manager (python edition) VerseGroup's native encryption manager adapted for python applications. Function Generate new set of private and p

A Python script to implement Hill's Cipher Encryption and Decryption.

Hill_Cipher-Encryption_and_Decryption A Python script to implement Hill's Cipher Encryption and Decryption. Initially in the Encryption part, the Plai

Gridlock - Encryption and decryption python project
Gridlock - Encryption and decryption python project

Gridlock Encryption Encryption and decryption of plain text messages inspired by

SSEPy: Implementation of searchable symmetric encryption in pure Python
SSEPy: Implementation of searchable symmetric encryption in pure Python

SSEPy: Implementation of searchable symmetric encryption in pure Python Searchable symmetric encryption, one of the research hotspots in applied crypt

Scrambler - Useful File/Directory Encryption Program

This is a program that is used to scramble/encrypt files on your computer. Do not use this program to do malicious things with. I am not responsible for any damage that you do with this software.

Given a string or a text file with plain text , returns his encryption using SHA256 method

Encryption using SHA256 Given a string or a .txt file with plain text. Returns his encryption using SHA256 method Requirements : pip install pyperclip

Aza this is a text encryption software

Aza text encryptor General info Aza this is a text encryption software Help command: python aza.py --help Examples python aza.py --text "Sample text h

Stenography encryption script
Stenography encryption script

ImageCrypt Project description Installation Usage Project description Project AlexGyver on Python by TheK4n Design by ΠŸΠ°ΡˆΡƒΡˆΠΊΠ° Byte packing in decimal

Owner
Dann Luciano
Dann Luciano
A Python library to wrap age and minisign to provide key management, encryption/decryption and signing/verification functionality.

A Python library to wrap age and minisign to provide key management, encryption/decryption and signing/verification functionality.

Vinay Sajip 3 Feb 1, 2022
Simple python program to encrypt files with AES-256 encryption

simple-enc Simple python program to encrypt files with AES-256 encryption Setup First install "pyAesCrypt" using pip. Thats it! Optionally you can add

Hashm 2 Jan 19, 2022
C0mptCrypt - An object-oriented, minamalistic, simple encryption library in Python

C0mptCrypt allows you to encrypt strings of text. It can only be decrypted using C0mptCrypt and not by random online tools. You can use this for a variety of things from creating passwords, to encrypting HWIDs.

c0mpt0 4 Aug 22, 2022
A simple and secure password-based encryption & decryption algorithm based on hash functions, implemented solely based on python.

pyhcrypt A simple and secure password-based encryption & decryption algorithm based on hash functions, implemented solely based on python. Usage Pytho

Hongfei Xu 3 Feb 8, 2022
Simple one-time pad (OTP) encryption

Introduction What you will make In this resource you will learn how to create and use an encryption technique known as the one-time pad. This method o

Rabih ND 6 Nov 6, 2022
Simple encryption/decryption utility using Pycryptodome module. Working with AES and RSA algorithms.

EncypherUtil Simple encryption/decryption utility using PyCryptodome module. Working with AES and RSA algorithms. THIS UTILITY IS NOT LICENSED AS CRYP

Egor Yakubovich 0 Jun 14, 2022
A lightweight encryption library in python.

XCrypt About This was initially a project to prove that I could make a strong encryption but I decided to publish it so that the internet peoples coul

Anonymous 8 Sep 10, 2022
Python Encryption Name Game

Python 3.9.7 Encryption Name Game Encrypt a name with numbers using a Caesar cipher! You can choose different numbers to encrypt your name from 1 to o

Armand Brunelle 3 Dec 24, 2021
Python program that handles the creation, encryption and storage of log/journal files. Kinda works like a diary of sorts.

LucaSoft J.O.U.R.N.A.L The J.O.U.R.N.A.L (Just anOther User Redaction & Navigation Assistant by Lucaspec72) is a Python program that handles the creat

Lucaspec72 8 Oct 27, 2021
This is a basic encryption and decryption program made in python.

A basic encryption and decryption program to visualize how the process of protecting data works.

Junaid Chaudhry 5 Nov 15, 2021