Hopiu/django-fernet-encrypted-fields
1
0
Fork 0
mirror of https://github.com/jazzband/django-fernet-encrypted-fields.git synced 2026-03-16 22:40:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
django-fernet-encrypted-fields/encrypted_fields/fields.py

90 lines
2.6 KiB
Python
Raw Normal View History

first commit
2021-09-30 14:27:19 +00:00
import base64
from django.conf import settings
Adding in support for multiple SALTs thus allowing them to be rotated This commit adds in support for the SALT to be rotated by defining a list of salts within settings.py where the newer salts are added to the start. The first key will be used to encrypt all new data, and decryption of existing values will be attempted with all given keys in order. This is useful for key rotation: place a new key at the head of the list for use with all new or changed data, but existing values encrypted with old keys will still be accessible This is based of django-fernet-fields which is a dead package but has some useful features such as this to allow the salt to be rotated in the future for a stronger salt. ``` SALT_KEY = [ 'my-newer-salt', 'the-original-salt' ] ```
2021-12-08 11:12:44 +00:00
from cryptography.fernet import Fernet, MultiFernet
first commit
2021-09-30 14:27:19 +00:00
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from django.db import models
Adding in support for multiple SALTs thus allowing them to be rotated This commit adds in support for the SALT to be rotated by defining a list of salts within settings.py where the newer salts are added to the start. The first key will be used to encrypt all new data, and decryption of existing values will be attempted with all given keys in order. This is useful for key rotation: place a new key at the head of the list for use with all new or changed data, but existing values encrypted with old keys will still be accessible This is based of django-fernet-fields which is a dead package but has some useful features such as this to allow the salt to be rotated in the future for a stronger salt. ``` SALT_KEY = [ 'my-newer-salt', 'the-original-salt' ] ```
2021-12-08 11:12:44 +00:00
from django.utils.functional import cached_property
first commit
2021-09-30 14:27:19 +00:00
class EncryptedFieldMixin(object):
Adding in support for multiple SALTs thus allowing them to be rotated This commit adds in support for the SALT to be rotated by defining a list of salts within settings.py where the newer salts are added to the start. The first key will be used to encrypt all new data, and decryption of existing values will be attempted with all given keys in order. This is useful for key rotation: place a new key at the head of the list for use with all new or changed data, but existing values encrypted with old keys will still be accessible This is based of django-fernet-fields which is a dead package but has some useful features such as this to allow the salt to be rotated in the future for a stronger salt. ``` SALT_KEY = [ 'my-newer-salt', 'the-original-salt' ] ```
2021-12-08 11:12:44 +00:00
@cached_property
def keys(self):
keys = []
salt_keys = settings.SALT_KEY if isinstance(settings.SALT_KEY, list) else [settings.SALT_KEY]
for salt_key in salt_keys:
salt = bytes(salt_key, 'utf-8')
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=100000,
backend=default_backend())
keys.append(base64.urlsafe_b64encode(kdf.derive(settings.SECRET_KEY.encode('utf-8'))))
return keys
first commit
2021-09-30 14:27:19 +00:00
Adding in support for multiple SALTs thus allowing them to be rotated This commit adds in support for the SALT to be rotated by defining a list of salts within settings.py where the newer salts are added to the start. The first key will be used to encrypt all new data, and decryption of existing values will be attempted with all given keys in order. This is useful for key rotation: place a new key at the head of the list for use with all new or changed data, but existing values encrypted with old keys will still be accessible This is based of django-fernet-fields which is a dead package but has some useful features such as this to allow the salt to be rotated in the future for a stronger salt. ``` SALT_KEY = [ 'my-newer-salt', 'the-original-salt' ] ```
2021-12-08 11:12:44 +00:00
@cached_property
def f(self):
if len(self.keys) == 1:
return Fernet(self.keys[0])
return MultiFernet([Fernet(k) for k in self.keys])
first commit
2021-09-30 14:27:19 +00:00
def get_internal_type(self):
"""
To treat everything as text
"""
return 'TextField'
def get_prep_value(self, value):
if value:
if not isinstance(value, str):
value = str(value)
return self.f.encrypt(bytes(value, 'utf-8')).decode('utf-8')
return None
def get_db_prep_value(self, value, connection, prepared=False):
if not prepared:
value = self.get_prep_value(value)
return value
def from_db_value(self, value, expression, connection):
return self.to_python(value)
def to_python(self, value):
if value is None or not isinstance(value, str):
return value
value = self.f.decrypt(bytes(value, 'utf-8')).decode('utf-8')
return super(EncryptedFieldMixin, self).to_python(value)
class EncryptedCharField(EncryptedFieldMixin, models.CharField):
pass
class EncryptedTextField(EncryptedFieldMixin, models.TextField):
pass
class EncryptedDateTimeField(EncryptedFieldMixin, models.DateTimeField):
pass
class EncryptedIntegerField(EncryptedFieldMixin, models.IntegerField):
pass
class EncryptedDateField(EncryptedFieldMixin, models.DateField):
pass
class EncryptedFloatField(EncryptedFieldMixin, models.FloatField):
pass
class EncryptedEmailField(EncryptedFieldMixin, models.EmailField):
pass
class EncryptedBooleanField(EncryptedFieldMixin, models.BooleanField):
pass
Reference in a new issue Copy permalink