Vault data encryption classes (python)
Project description
aiSSEMBLE™ Extensions Data Encryption Vault Python
This module provides a package for encrypting Python based pipeline data. There are multiple encryption algorithms available. Each with their own strengths and weaknesses as outlined below.
Strategy | Description |
---|---|
VaultRemoteEncryptionStrategy | Leverages the Hashicorp Vault secrets as a service capabilities. This is a highly recommended strategy given it follows best practices and has the advantage of a large developer base working to secure the service. |
VaultLocalEncryptionStrategy | Leverages the Vault service to provide encryption keys (key rotation and secure storage) but allows for local encryption. This is a good option if you have to encrypt large data objects. It can also provide a performance boost over remote Vault encryption given there is no need for a roundtrip to the server for each data element. |
AesCbcEncryptionStrategy | A good basic 128 bit encryption strategy. To use this you only need to supply a single encryption key in the encrypt.properties file (128 bit or 16 character). This algorithm works well, but is less efficient than the AES GCM algorithm. |
AesGcm96EncryptionStrategy | This is a good strategy for most encryption needs. It is efficient and strong against most attacks. You can optionally use an encryption key retrieved from the Vault service with this strategy. |
The following example illustrates how to perform encryption.
-
Example usage
- Add the following to your code
VaultRemoteEncryptionStrategy
# Uses remote Vault encryption from aissemble_encrypt.vault_remote_encryption_strategy import VaultRemoteEncryptionStrategy vault_remote = VaultRemoteEncryptionStrategy() # encrypt plain text data using Vault encrypted_value = vault_remote.encrypt('SOME PLAIN TEXT') # decrypt cipher text data using Vault decrypted_value = vault_remote.decrypt(encrypted_value)
NOTE: If you are encrypting your data through a User Defined Function (udf) in PySpark you need to use the VaultLocalEncryptionStrategy (see below). Currently the remote version causes threading issues. This issue will likely be resolved in a future update to the Hashicorp Vault client
VaultLocalEncryptionStrategy
# Uses an encryption key retrieved from the Vault server, but performs the encryption locally. from aissemble_encrypt.vault_local_encryption_strategy import VaultLocalEncryptionStrategy vault_local = VaultLocalEncryptionStrategy() # encrypt plain text data using local Vault encrypted_value = vault_local.encrypt('SOME PLAIN TEXT') # decrypt cipher text data using local Vault decrypted_value = vault_local.decrypt(encrypted_value)
AesCbcEncryptionStrategy
# Uses the AES CBC encryption from aissemble_encrypt.aes_cbc_encryption_strategy import AesCbcEncryptionStrategy aes_cbc = AesCbcEncryptionStrategy() # encrypt plain text data using AES CBC encrypted_value = aes_cbc.encrypt('SOME PLAIN TEXT') # decrypt cipher text data using AES CBC decrypted_value = aes_cbc.decrypt(encrypted_value)
AesGcm96EncryptionStrategy
# AES GCM encryption with a 96 bit initialization vector (same algorithm as Vault) from aissemble_encrypt.aes_gcm_96_encryption_strategy import AesGcm96EncryptionStrategy aes_gcm_96 = AesGcm96EncryptionStrategy() # encrypt plain text data using AES GCM encrypted_value = aes_gcm_96.encrypt('SOME PLAIN TEXT') # decrypt cipher text data using AES CBC decrypted_value = aes_gcm_96.decrypt(encrypted_value)
AISSEMBLE Data Encryption
This package includes one security client for calling the "Secrets as a Service" encryption service.
Vault encryption
See the extensions-encryption README for more information on how to configure Vault encryption.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aissemble_extensions_encryption_vault_python-1.8.1rc2.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 809aba6059841c9fe5e5fb34562394d91277131671c962ac7cb90255aa8b5f88 |
|
MD5 | bac401e817b3e6e684915fdb281b0e3d |
|
BLAKE2b-256 | c1e772b015053ce4819d9903395428b015e9cc678078a393b305671cf22d21ea |
Hashes for aissemble_extensions_encryption_vault_python-1.8.1rc2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2876cfcbb733f28630e03ed866a064e03a7e68d750c5c1f0a3b652023aca797a |
|
MD5 | 9ef7aa2e649b1f60ed21cd1b5ff0f50a |
|
BLAKE2b-256 | 0515e38a5d2dadd594f5767068fca71036d53df5080fce52d2926f11a3e6a61b |