Production-ready cryptographic abstraction layer for Python applications
Project description
Flash512-Vanguard
Production-Ready Cryptographic Abstraction Layer for Python A secure-by-default encryption library that combines AES-256-GCM with memory-hard key derivation (Argon2id/PBKDF2). Designed for applications that need strong encryption without requiring cryptographic expertise.
🎯 Philosophy
Flash512-Vanguard is not a cryptographic primitive library. It's an opinionated abstraction layer that:
- ✅ Uses industry-standard primitives (AES-256-GCM, Argon2id, PBKDF2)
- ✅ Makes the secure way the easy way (secure-by-default API)
- ✅ Handles the hard problems (nonce management, parameter rotation, memory protection)
- ✅ Provides backward compatibility (tokens are self-describing)
We do NOT:
- ❌ Invent new cryptographic algorithms
- ❌ Support legacy/deprecated algorithms (no RC4, DES, ECB, etc.)
- ❌ Claim to be "unbreakable" or "military-grade" (we use precise technical language)
🚀 Quick Start
Installation
pip install flash512-vanguard
Basic Usage
import os
from flash512 import Flash512Vanguard
# Set the Core Secret (required, must be >= 64 chars)
os.environ['FLASH512_VANGUARD_CORE'] = 'your-super-secret-core-key-at-least-64-characters-long'
# Encrypt data
plaintext = b"Sensitive user data"
password = "UserPassword123!"
token = Flash512Vanguard.protect(plaintext, password)
print(f"Token: {token}")
# Output: v3.A.bWVtPTEwMjQwMCx0aW1lPTQscGFyYWxsZWw9Mg==...
# Decrypt data
decrypted = Flash512Vanguard.open(token, password)
assert decrypted == plaintext
Secure Memory Management
from flash512 import Flash512Vanguard, secure_open
# Decrypt into a memory-hardened buffer that auto-wipes
token = Flash512Vanguard.protect(b"Secret", "Pass123")
with secure_open(token, "Pass123") as buffer:
plaintext = buffer.data
# Process plaintext...
# Buffer is automatically wiped here (overwritten with zeros)
🔐 Security Features
1.Authenticated Encryption (AES-256-GCM)
-
Confidentiality: AES-256 in GCM mode
-
Integrity: GCM authentication tag detects tampering
-
Nonce Management: Cryptographically secure random nonces (96-bit, NIST SP 800-38D)
2.Memory-Hard Key Derivation
-
Primary: Argon2id (resistant to GPU/ASIC attacks)
-
Fallback: PBKDF2-HMAC-SHA512 (for compatibility)
-
Configurable Parameters: Memory cost, time cost, parallelism
3.Self-Describing Tokens
Tokens include version and KDF parameters, enabling:
- Backward compatibility (old tokens work with new library versions)
- Parameter rotation (upgrade security without breaking existing data)
Token Format (v3):
v3 | kdf_type | kdf_params | salt | nonce | ciphertext
4.Memory Protection
- mlock(): Prevents sensitive data from being swapped to disk
- SecureBuffer: Auto-wipes memory on destruction
- Context Manager: Automatic cleanup with with statement
📊 Threat Model
What Flash512-Vanguard Protects Against:
✅ Database Breach: If an attacker steals your database, they cannot decrypt tokens without:
- The user's password
- The Core Secret (server-side environment variable)
✅ Tampering: GCM authentication detects any modification to tokens
✅ Memory Attacks: mlock() prevents sensitive data from being written to swap files
✅ Side-Channel Attacks: Uses constant-time operations where possible
What Flash512-Vanguard Does NOT Protect Against:
❌ Weak Passwords: If a user chooses "password123", no library can save them
❌ Core Secret Compromise: If an attacker gains access to your server's environment variables, all bets are off
❌ Client-Side Attacks: Keyloggers, screen capture, etc. are outside our scope
❌ Quantum Computers: AES-256 is post-quantum secure, but Argon2id/PBKDF2 are not
⚙️ Configuration
Environment Variables
# Required: Core Secret (must be >= 64 characters)
export FLASH512_VANGUARD_CORE="your-super-secret-core-key..."
# Optional: Argon2id parameters (OWASP recommended defaults)
export ARGON2_MEMORY_COST=102400 # 100 MB
export ARGON2_TIME_COST=4 # 4 iterations
export ARGON2_PARALLELISM=2 # 2 threads
*Choosing KDF Parameters*
For most applications (default):
- Memory: 100 MB
- Time: 4 iterations
- Parallelism: 2 threads
For high-security applications:
- Memory: 256 MB
- Time: 6 iterations
- Parallelism: 4 threads
For low-resource environments (use PBKDF2):
token = Flash512Vanguard.protect(data, password, use_argon2=False)
🔄 Migration & Backward Compatibility
Token Versioning
Flash512-Vanguard tokens are versioned. The library automatically detects the version and uses the correct parameters.
Supported versions:
- v2.0 / v2.1: Legacy format (no KDF parameters in token)
- v3: Current format (self-describing, includes KDF parameters)
Rotating KDF Parameters
If you want to increase security (e.g., higher Argon2 memory cost), new tokens will use the new parameters automatically. Old tokens remain decryptable because they include their original parameters.
# Old token (created with mem=102400)
old_token = "v3.A.bWVtPTEwMjQwMCx0aW1lPTQscGFyYWxsZWw9Mg==..."
# Still works, even if you changed ARGON2_MEMORY_COST to 204800
plaintext = Flash512Vanguard.open(old_token, password)
🧪 Testing
# Run all tests
pytest tests/
# Run with coverage
pytest --cov=flash512 tests/
# Run property-based tests
pytest tests/test_property.py
📚 API Reference
Flash512Vanguard.protect(plaintext: bytes, user_secret: str, use_argon2: bool = True) -> str
Encrypt data and return a self-describing token.
Parameters:
- plaintext (bytes): Data to encrypt (must be bytes, not str)
- user_secret (str): User-provided password (min 6 characters)
- use_argon2 (bool): Use Argon2id (default) or PBKDF2 if False
Returns: Token string in v3 format
Raises:
- TypeError: If plaintext is not bytes
- ValueError: If password is too short or plaintext is empty
- EnvironmentError: If FLASH512_VANGUARD_CORE is not set
Flash512Vanguard.open(token: str, user_secret: str) -> bytes
Decrypt a token and return the plaintext.
Parameters:
- token (str): Token string from protect()
- user_secret (str): User password used during encryption
Returns: Decrypted data as bytes
Raises:
- ValueError: If token is invalid, tampered, or password is wrong
secure_open(token: str, secret: str) -> SecureBuffer
Context manager that decrypts into a memory-hardened buffer.
Usage:
with secure_open(token, password) as buffer:
plaintext = buffer.data
# Process...
# Buffer auto-wiped here
🛡️ Security Best Practices
- Use a strong Core Secret: Generate with openssl rand -base64 64
- Rotate passwords: Use Flash512Vanguard.rotate_secret() periodically
- Monitor audit logs: The library logs all encryption/decryption events
- Use SecureBuffer: Always use secure_open() for sensitive data
- Keep dependencies updated: Run pip-audit regularly
🤝 Contributing
Contributions are welcome! Please read CONTRIBUTING.md for guidelines.
📄 License
MIT License - see LICENSE for details.
🙏 Acknowledgments
Built on top of:
-
cryptography - AES-256-GCM implementation
-
argon2-cffi - Argon2id implementation
📞 Support & Security
- Issues: GitHub Issues
- Security vulnerabilities: See SECURITY.md
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file flash512_vanguard-3.0.1.tar.gz.
File metadata
- Download URL: flash512_vanguard-3.0.1.tar.gz
- Upload date:
- Size: 29.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a383c13a348cb101deac1ba178bcc47e1ceda1617d2b079b7e25c130313a3398
|
|
| MD5 |
88ea81341b20a281d0f5438bbd384076
|
|
| BLAKE2b-256 |
056cc83483c9af425eb325de1bcf18f0b98b00f39d266219a8a7557ec900b654
|
File details
Details for the file flash512_vanguard-3.0.1-py3-none-any.whl.
File metadata
- Download URL: flash512_vanguard-3.0.1-py3-none-any.whl
- Upload date:
- Size: 20.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4be9dd8e09b7758ba59c27b4dba19cc19fd8bacf98251ec9b165b88c25d78a94
|
|
| MD5 |
91402a693e444ebf91fbb616ab6aa403
|
|
| BLAKE2b-256 |
fd927cdbb4b1694fd63e4d699e6045d8bfc014c95e427555a56e8a2857d171d7
|