Skip to main content
Join the official 2019 Python Developers SurveyStart the survey!

Execute encrypted Python bytecode.

Project description


pyce is a library to work with encrypted Python bytecode. It adds functionality to a Python runtime by extending the way the builtin keyword import works. Currently, it assumes that convergent encryption will be used, but the library can be extended. For example, functionality could be added to decrypt files via Hashicorp's Vault (which also supports convergent encryption as a mode of operation).

pyce enables the creation of a Trusted Computing Python environment by ensuring each deployed file is precisely what the developer intended by enforcing end-to-end encryption. Execution halts if even a single bit of an imported Python file is modified.

How do I use it?

First, you'll want to encrypt a module or package. Note: this is a destructive action. Do not run this on a codebase that is not saved elsewhere. This can recursively operate on folders, and supports exclusion lists (to not encrypt certain files).

pyce expects files to be pre-compiled Python bytecode, using a command similar to python3 -mcompileall -b where -b does an in place compilation.

from pyce import encrypt_path
[('pyce/hello.pyce', '443df1d5f9914d13ed27950dd81aa2dd9d3b708be416c388f3226ad398d71a14')]

Second, register your keys and try importing from the encrypted module or package:

from pyce import PYCEPathFinder
PYCEPathFinder.KEYS = {'pyce/hello.pyce' : '443df1d5f9914d13ed27950dd81aa2dd9d3b708be416c388f3226ad398d71a14'}

import sys
sys.meta_path.insert(0, PYCEPathFinder)
from pyce.hello import hello

Key distribution is outside the scope of this project. You will need to maintain keys typically by using a networked key server such as Hashicorp's Vault. You could pass keys by environment variable, stdin, or some other mechanism.

Typically, you will leave (exclude) a stub file that is designed to just hook Python's import path parsers, setup the keys, and then execute your code.

What can I do with it?

File Integrity Monitoring: You could protect your production code running on application servers by adding in automatic cryptographic checks of imports.

Licensing: You could publish encrypted modules to PyPI and only release decryption keys to certain organizations, people, or others! You could publish such modules anywhere!

At-rest Code Protection: You could just protect code at rest by integrating on-the-fly decryption with an IDE or other software. This would be more of a DIY project at this point in time, but pyce gives you all the building blocks you need!


All of this code is released under the Apache v2.0 License.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for pyce, version 2.0.0
Filename, size File type Python version Upload date Hashes
Filename, size pyce-2.0.0-py3-none-any.whl (9.1 kB) File type Wheel Python version py3 Upload date Hashes View hashes
Filename, size pyce-2.0.0.tar.gz (7.3 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page