A set of fields that wrap standard Django fields with encryption provided Piiano Vault.
Project description
Django Encrypted Model Fields
About
This library allows you to specify specific fields to encrypt in your Django models using Vault's API in a transparent manner, taking advantage of Vault's advanced capabilities. This helps you:
- Achieve compliance with various privacy standards
- Implement TTL or expiration for data
- Get Masked or transformed versions of your data
- Rely on Vault's permission model
This is a fork of https://gitlab.com/lansharkconsulting/django/django-encrypted-model-fields which in turn is a fork of https://github.com/foundertherapy/django-cryptographic-fields. It has been renamed, and updated to support encryption through Piiano Vault's API.
Note:
Actively tested with Python 3.11.5. Should work with any Python 3.x. This package is compatible with Vault version 1.13.2. For a Vault client compatible with other versions of Vault, check other versions of this package.
Usage
First install the library:
pip install django-encryption
Add to your settings.py
(Example in here):
VAULT_ADDRESS
VAULT_API_KEY
VAULT_DEFAULT_COLLECTION
Note it is best practice to provideVAULT_ADDRESS
andVAULT_API_KEY
via environment variables in production- Add
django_encryption
toINSTALLED_APPS
In your models.py
(Example in here):
- Import any desired field type, for example:
from django_encryption.fields import EncryptedCharField
-
For each model field you would like to encrypt, replace the field name with any of the fields you imported in step 1 (For example,
EncryptedCharField
).You can customize the field by providing additional parameters such as:
encryption_type
(optional) - Can beEncryptionType.randomized
orEncryptionType.deterministic
expiration_secs
(optional) - An integer or None. If an integer, the number of seconds before the encrypted data is expired, and cannot be decrypted anymore. Works only with randomizedencryption_type
vault_collection
(optional) - The name of the vault collection that this field is related to. Defaults tosettings.VAULT_DEFAULT_COLLECTION
vault_property
(optional) - The name of the property in the vault collection that this field is related to. Defaults to the name of the field in django.data_type_name
(optional) - The name of the data type in vault. Defaults to 'string'. This only has impact when generating a vault migration, and does not change the way your django model would behave.eager
(default: true) - whether or not value will be decrypted (in a batch operation) as soon as it is fetched from the DB. If not, the value will be decrypted the first time it is accessed.
Note: use
vault_collection
together withvault_property
to specify the collection and property in vault that represent this field. This is important for permission control and audit logs. For more advanced use-cases, this would allow you to transition smoothly to using Vault as a secure storage for PII data.
Query your model as usual, keeping the following in mind:
- Read queries are batched. Reading from the Database will generate a single API call per field. Writing to the Database is not batched and will generate an API call for each field in each instance.
- By default all fields are eagerly fetched - similarly to calling prefetch_related(field_name) on a foreign key.
The SDK also supports masking and other vault transformations by using mask(MyModel.my_field) or transform('transformation-name', MyModel.my_field) as part of the query.
- This tells the encryption SDK to mask the values of MyModel.my_field. So for example, for an SSN you would get "*--6789".
- All vault's supported transformations are also supported using the
transform
context manager. See Built-in transformations in Vault's API documentation for a list of Vault's supported transformations.
Sample code
from django.db import models
from django_encryption.fields import EncryptedCharField, EncryptedEmailField, EncryptedDateField, EncryptionType
class Customer(models.Model):
name = EncryptedCharField(data_type_name='NAME')
email = EncryptedEmailField(data_type_name='EMAIL')
phone = EncryptedCharField(
data_type_name='PHONE_NUMBER', null=True, blank=True)
ssn = EncryptedCharField(
encryption_type=EncryptionType.randomized, data_type_name='SSN', null=True, blank=True)
dob = EncryptedDateField(
data_type_name='DATE_OF_BIRTH', null=True, blank=True)
state = models.CharField(max_length=100, null=True, blank=True)
You can see a full working example in our sample.
Installation for local development (with VSCode)
- Clone the repo:
git clone https://github.com/piiano/vault-python
- Ensure you have python poetry installed on your machine (a global installation). Example:
pipx install poetry
- Run the following commands from the
sdk/orm-django
directory:poetry install poetry shell code .
- To run tests:
python manage.py test
. Tests should also be available from within vscode.
NOTE Make sure you have a local copy of vault running on your machine. To do so, follow the Installations Instructions.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file django_encryption-0.3.41.tar.gz
.
File metadata
- Download URL: django_encryption-0.3.41.tar.gz
- Upload date:
- Size: 13.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.4 CPython/3.10.12 Linux/6.5.0-1025-azure
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | f589052b4ca8b250b878319468380f8be43972adf21203415e73e0604ba16bd9 |
|
MD5 | e7025e1bbb1272761a50afd7af9e609f |
|
BLAKE2b-256 | b35436dd4c8af82f4f1c0b0f96119e200e7dcd5e32aef2bfa93651ee7fc1b556 |
File details
Details for the file django_encryption-0.3.41-py3-none-any.whl
.
File metadata
- Download URL: django_encryption-0.3.41-py3-none-any.whl
- Upload date:
- Size: 12.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.4 CPython/3.10.12 Linux/6.5.0-1025-azure
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2192cd54fe7af25168700e08ec35c3d15be5aba4bf96d72a38c38a03a898d997 |
|
MD5 | a0d5cba80ab982cc9a3cfb545b464e3d |
|
BLAKE2b-256 | 40e94bd01e5c1226536bf40a2c2e0ff577ffa104ff6db88513c683eafa221a13 |