Tink-based encrypted model fields for Django
Project description
Django Tink Fields
Leverages Google Tink to encrypt Django's core model fields. This work is heavily based on the work of Django Fernet Fields which seems to have been abandoned last few years.
Installation
Use pip
to install django-tink-fields
:
pip install django-tink-fields
Edit settings.py
and introduce a configuration section for TINK_FIELDS_CONFIG
:
TINK_FIELDS_CONFIG = {
"default": {
"cleartext": False,
"path": "/path/to/an/encryted_keyset.json",
},
"another": {
"cleartext": True,
"path": "/path/to/a/cleartext_keyset.json",
}
}
Tink keysets can be created via tinkey
and may optionally be wrapped via a key-management system such as AWS KMS
or GCP KMS
.
To create a cleartext keyset for testing purposes:
tinkey create-keyset --out-format json --out test_plaintext_keyset.json --key-template AES128_GCM
Alternatively, to create an encrypted keyset that is wrapped by GCP KMS
, specify --master-key-uri
as follow:
tinkey create-keyset --out-format json --out test_encrypted_keyset.json --key-template AES128_GCM --master-key-uri=gcp-kms://projects/foo1/locations/global/keyRings/foo2/cryptoKeys/foo3
To learn more about tinkey
read the relevant documentation.
Examples
The following model creates an encrypted char field that makes use of the default
keyset.
from django.db import models
from tink_fields import EncryptedCharField
class SomeModel(models.Model):
some_value = EncryptedCharField(max_length=32)
You may specify a specific keyset by providing a keyset
keyword argument:
from django.db import models
from tink_fields import EncryptedCharField
class AnotherModel(models.Model):
some_value = EncryptedCharField(max_length=32, keyset="another")
Supported field types include: EncryptedCharField
, EncryptedTextField
, EncryptedDateField
, EncryptedDateTimeField
, EncryptedEmailField
, and EncryptedIntegerField
.
Associated Data
The encrypted fields make use of Authenticated Encryption With Associated Data (AEAD)
which offers confidentiality and integrity within the same mode of operation. This allows the caller to specify a cleartext fragment named additional authenticated data (aad)
to the encryption and decryption operations and receive cryptographic guarantees that the ciphertext data has not been tampered with.
To specify the aad
fragment, provide a callback function aad_callback
in the keyword arguments:
from django.db import models
from tink_fields import EncryptedCharField
class AnotherModel(models.Model):
some_value = EncryptedCharField(max_length=32, aad_callback=lambda x: b"some value")
The value passed to the callback is the instance of the model field, with a signature of Callable[[models.Field], bytes]
. As a reminder, the associated data is not encrypted so do not store sensitive data in it.
Acknowledgements
Authors
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django_tink_fields-0.2.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 618ef737dbe72ae0b2567d8b768cb4fc89224a32831909b814d628e942c7d74f |
|
MD5 | bc481bc9503faf8c97bda0080b00e297 |
|
BLAKE2b-256 | 3079c86a5dfa23363c61476f3423ad46e187d4afdecdd3a9dfd28755d4ba9cc9 |