Skip to main content
Join the official 2020 Python Developers SurveyStart the survey!

Python library for pluggable asymmetric low-level encryption

Project description


Python (>= 3.7) library for asymmetric cryptography with algorithms such as RSA and ECC.

Various backends implement wrappers around other crypto libraries (such as
and makes them available using a unified API. The actual cryptographic operations are carried out
by those backend libraries.

No hard dependencies on any non-python libraries such as OpenSSL exist.

CryptoKey is meant to be used by other libraries that need to carry out cryptographic
operations. That could e.g. be an ACME client, TrustedTimeStamp service or an SSH client.

Users can implement their own backends to utilise their favourite HSM or smartcard,
cloud HSMs or their own ECC implementation (don't!), etc.

CryptoKey can thus be seen as a python alternative to PKCS#11.

There are high-level interfaces such as `key.sign(msg)` which just do the right thing,
and low-level interfaces such as `rsakey.sign_int` to calculate `s = m ** d % n` which,
if used incorrectly, opens up security holes.

Implementations for padding schemes such as PSS are given. They can be used for low-level
plumbing like extracting the salt from a PSS signature or creating a PSS signature with a
specific salt.

One stated goal is to provide interfaces for unsafe operations too.
If you want to shoot yourself in the foot, here's the tool to do it!


Sign a message::
from asyncio import run
from cryptography.hazmat.primitives import serialization
from cryptokey.backend.cryptography import backend
from cryptokey.backend.cryptography.rsa import RsaPrivateKey

# Load a private key using normal operations.
with open('private.key', 'rb') as fp:
cryptography_key = serialization.load_pem_private_key(,

# Create wrapper
key = RsaPrivateKey(cryptography_key)

# Sign a message. By default, PSS and SHA2_256 are used. The
# signature object also contains the parameters that were used.
sig = run(key.sign(b'Hello, World!'))

# Write signature to a file.
with open('hello.sig', 'wb') as fp:

Verifying the signature using openssl::
echo -n 'Hello, World!' | openssl sha256 -binary | openssl pkeyutl \
-verify -inkey private.key -sigfile hello.sig -pkeyopt digest:sha256 \
-pkeyopt rsa_padding_mode:pss

Solving homework::
from asyncio import run
from cryptokey.backend.textbook.rsa import TextbookRsaPrivateKey

key = TextbookRsaPrivateKey(public_exponent=7, primes=(17, 31))
print(f'Private exponent: {key.private_exponent}')
print(f'Signature for M=2: {run(key.sign_int(2)).int_value}')

This library is supposed to be just as (in)secure as the used backend.
If in doubt, use the `cryptography` backend, which builds upon OpenSSL.

The `textbook` backend is deliberately insecure and should not be used for
real applications.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for cryptokey, version 0.2.2
Filename, size File type Python version Upload date Hashes
Filename, size cryptokey-0.2.2-py3-none-any.whl (32.1 kB) File type Wheel Python version py3 Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page