Vault data encryption classes (python)
Project description
aiSSEMBLE™ Extensions Data Encryption Vault Python
This module provides a package for encrypting Python based pipeline data. There are multiple encryption algorithms available. Each with their own strengths and weaknesses as outlined below.
Strategy | Description |
---|---|
VaultRemoteEncryptionStrategy | Leverages the Hashicorp Vault secrets as a service capabilities. This is a highly recommended strategy given it follows best practices and has the advantage of a large developer base working to secure the service. |
VaultLocalEncryptionStrategy | Leverages the Vault service to provide encryption keys (key rotation and secure storage) but allows for local encryption. This is a good option if you have to encrypt large data objects. It can also provide a performance boost over remote Vault encryption given there is no need for a roundtrip to the server for each data element. |
AesCbcEncryptionStrategy | A good basic 128 bit encryption strategy. To use this you only need to supply a single encryption key in the encrypt.properties file (128 bit or 16 character). This algorithm works well, but is less efficient than the AES GCM algorithm. |
AesGcm96EncryptionStrategy | This is a good strategy for most encryption needs. It is efficient and strong against most attacks. You can optionally use an encryption key retrieved from the Vault service with this strategy. |
The following example illustrates how to perform encryption.
-
Example usage
- Add the following to your code
VaultRemoteEncryptionStrategy
# Uses remote Vault encryption from aissemble_encrypt.vault_remote_encryption_strategy import VaultRemoteEncryptionStrategy vault_remote = VaultRemoteEncryptionStrategy() # encrypt plain text data using Vault encrypted_value = vault_remote.encrypt('SOME PLAIN TEXT') # decrypt cipher text data using Vault decrypted_value = vault_remote.decrypt(encrypted_value)
NOTE: If you are encrypting your data through a User Defined Function (udf) in PySpark you need to use the VaultLocalEncryptionStrategy (see below). Currently the remote version causes threading issues. This issue will likely be resolved in a future update to the Hashicorp Vault client
VaultLocalEncryptionStrategy
# Uses an encryption key retrieved from the Vault server, but performs the encryption locally. from aissemble_encrypt.vault_local_encryption_strategy import VaultLocalEncryptionStrategy vault_local = VaultLocalEncryptionStrategy() # encrypt plain text data using local Vault encrypted_value = vault_local.encrypt('SOME PLAIN TEXT') # decrypt cipher text data using local Vault decrypted_value = vault_local.decrypt(encrypted_value)
AesCbcEncryptionStrategy
# Uses the AES CBC encryption from aissemble_encrypt.aes_cbc_encryption_strategy import AesCbcEncryptionStrategy aes_cbc = AesCbcEncryptionStrategy() # encrypt plain text data using AES CBC encrypted_value = aes_cbc.encrypt('SOME PLAIN TEXT') # decrypt cipher text data using AES CBC decrypted_value = aes_cbc.decrypt(encrypted_value)
AesGcm96EncryptionStrategy
# AES GCM encryption with a 96 bit initialization vector (same algorithm as Vault) from aissemble_encrypt.aes_gcm_96_encryption_strategy import AesGcm96EncryptionStrategy aes_gcm_96 = AesGcm96EncryptionStrategy() # encrypt plain text data using AES GCM encrypted_value = aes_gcm_96.encrypt('SOME PLAIN TEXT') # decrypt cipher text data using AES CBC decrypted_value = aes_gcm_96.decrypt(encrypted_value)
AISSEMBLE Data Encryption
This package includes one security client for calling the "Secrets as a Service" encryption service.
Vault encryption
See the extensions-encryption README for more information on how to configure Vault encryption.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aissemble_extensions_encryption_vault_python-1.8.0rc8.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 452172c68cc457d86b7e395be04c2a6cd8c8b99fbc8527ac2c3ceaa60d0aa329 |
|
MD5 | 5e7282af0b5bbce9151c6927b5e16e6d |
|
BLAKE2b-256 | ff6f301a50e252484597e47bc8c39ebaeba414b67e458832bc7b3b8e51a2273d |
Hashes for aissemble_extensions_encryption_vault_python-1.8.0rc8-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4601f22cdf24ba3329b32a5bd7ef8bb4e2ffec71dd74fd83c0bbc13aa2784a1a |
|
MD5 | ee2e4c49c6cce5f5b3ba6d9d562e6243 |
|
BLAKE2b-256 | 2f5859f725548f84c298d52705272c5fbf032112b14c46012d19970288b1d66c |