Skip to main content

Password-protected secrets made easy.

Project description

https://img.shields.io/pypi/v/privy.svg?style=flat-square https://img.shields.io/travis/ofek/privy.svg?branch=master&style=flat-square https://img.shields.io/codecov/c/github/ofek/privy.svg?style=flat-square https://img.shields.io/pypi/pyversions/privy.svg?style=flat-square https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square

Privy is a small and fast utility for password-protecting secrets such as seeds for digital signatures or Bitcoin wallets.

Usage

>>> import privy
>>>
>>> secret = b'secret'
>>> password = 'foo'
>>>
>>> hidden = privy.hide(secret, password)
>>> hidden
'1$2$fL7xRh8WKe...'
>>>
>>> privy.peek(hidden, password)
b'secret'

Installation

Privy is available on Linux/macOS and Windows and supports Python 2.7, 3.3+, PyPy, and PyPy3.3-5.5+.

$ pip install privy

Encryption scheme

Secrets are encrypted using the Fernet protocol. Specifically, it uses AES for encryption and has built-in authentication using HMAC. The private key used for encryption is derived from the password using a key derivation function. The key derivation function used is Argon2, the winner of the Password Hashing Competition. Both Argon2i and Argon2d variants are supported.

Secrets encrypted with default settings are unicode strings of length 185.

Encrypted format

ascii(Argon2 algorithm || security level || base64(salt) || base64(Fernet token))

API

There are 2 functions: hide and peek.

hide(secret, password, security=2, salt=None, server=True)

Encrypts secret using password. Returns the hidden secret as unicode.

  • Parameters

    • secret (bytes) - The secret to encrypt.

    • password (bytes or unicode) - The password used to access the secret.

    • security (int) - A number 0-20 inclusive. Higher values are more secure at the cost of slower computation and greater use of memory. See security levels.

    • salt (bytes) - The salt used for the password hash. Defaults to os.urandom(32).

    • server (bool) - If True, it is assumed side-channel attack protection is needed and therefore the Argon2i algorithm will be used. Otherwise, the password will be hashed using the Argon2d algorithm.

peek(hidden, password, expires=None)

Decrypts hidden using password. Returns the secret as bytes.

  • Parameters

    • hidden (bytes or unicode) - The hidden secret to decrypt.

    • password (bytes or unicode) - The password used to access the secret.

    • expires (int) - The maximum number of seconds since encryption that is allowed. The default is no expiration.

A ValueError will be raised if the password is wrong, the password was attempted on a different hidden secret, or the number of seconds since encryption is > expires argument.

Security levels

All expected times were taken from tests on an Intel Core i7-2670QM @ 2.2 GHz.

Levels

Argon2 settings

Expected time

Notes

0

m=8 KiB, t=1

600 usec

Lowest possible

1

m=4 MiB, t=10

50 msec

2

m=8 MiB, t=10

100 msec

Default

3

m=32 MiB, t=10

350 msec

4

m=48 MiB, t=10

550 msec

5

m=96 MiB, t=10

1.1 sec

Good choice

6

m=256 MiB, t=10

3 sec

7

m=448 MiB, t=10

5.3 sec

8

m=768 MiB, t=10

9.1 sec

9

m=1 GiB, t=10

12.2 sec

10

m=2 GiB, t=20

48 sec

For use on users’ machines

11

m=3 GiB, t=30

?

12

m=4 GiB, t=40

?

13

m=5 GiB, t=50

?

14

m=6 GiB, t=60

?

15

m=7 GiB, t=70

?

16

m=8 GiB, t=80

?

17

m=9 GiB, t=90

?

18

m=10 GiB, t=100

?

19

m=11 GiB, t=110

?

20

m=12 GiB, t=120

?

Changelog

Important changes are emphasized.

3.0.0

  • Added security levels 11-20. These are quite resource intensive and are therefore only acceptable for individual use.

2.0.1

  • Breaking: Due to requests, the encrypted format now uses url-safe base64 instead of hex.

1.0.0

  • Initial release

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

privy-3.0.0-py2.py3-none-any.whl (12.6 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file privy-3.0.0-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for privy-3.0.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 6a5af37876a60a9e8986df9539bc38d09e059c74026290f8a8c454edfbdbc333
MD5 e7f3a0e0936be2299ccd74a121ab7838
BLAKE2b-256 dd65a6429465693b8d2b61218141339552aaf6df8fe3768e23eed1e1892747be

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page