Skip to main content

Execute encrypted Python bytecode.

Project description

PYCE

pyce is a library to work with encrypted Python bytecode. It adds functionality to a Python runtime by extending the way the builtin keyword import works. Currently, it assumes that convergent encryption will be used, but the library can be extended. For example, functionality could be added to decrypt files via Hashicorp's Vault (which also supports convergent encryption as a mode of operation).

pyce enables the creation of a Trusted Computing Python environment by ensuring each deployed file is precisely what the developer intended by enforcing end-to-end encryption. Execution halts if even a single bit of an imported Python file is modified.

How do I use it?

First, you'll want to encrypt a module or package. Note: this is a destructive action. Do not run this on a codebase that is not saved elsewhere. This can recursively operate on folders, and supports exclusion lists (to not encrypt certain files).

pyce expects files to be pre-compiled Python bytecode, using a command similar to python3 -mcompileall -b where -b does an in place compilation.

from pyce import encrypt_path
encrypt_path('pyce/hello.pyc')
[('pyce/hello.pyce', '443df1d5f9914d13ed27950dd81aa2dd9d3b708be416c388f3226ad398d71a14')]

Second, register your keys and try importing from the encrypted module or package:

from pyce import PYCEPathFinder
PYCEPathFinder.KEYS = {'pyce/hello.pyce' : '443df1d5f9914d13ed27950dd81aa2dd9d3b708be416c388f3226ad398d71a14'}

import sys
sys.meta_path.insert(0, PYCEPathFinder)
from pyce.hello import hello
hello()

Key distribution is outside the scope of this project. You will need to maintain keys typically by using a networked key server such as Hashicorp's Vault. You could pass keys by environment variable, stdin, or some other mechanism.

Typically, you will leave (exclude) a stub file that is designed to just hook Python's import path parsers, setup the keys, and then execute your code.

What can I do with it?

File Integrity Monitoring: You could protect your production code running on application servers by adding in automatic cryptographic checks of imports.

Licensing: You could publish encrypted modules to PyPI and only release decryption keys to certain organizations, people, or others! You could publish such modules anywhere!

At-rest Code Protection: You could just protect code at rest by integrating on-the-fly decryption with an IDE or other software. This would be more of a DIY project at this point in time, but pyce gives you all the building blocks you need!

License

All of this code is released under the Apache v2.0 License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyce-2.0.0.tar.gz (7.3 kB view details)

Uploaded Source

Built Distribution

pyce-2.0.0-py3-none-any.whl (9.1 kB view details)

Uploaded Python 3

File details

Details for the file pyce-2.0.0.tar.gz.

File metadata

  • Download URL: pyce-2.0.0.tar.gz
  • Upload date:
  • Size: 7.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.19.1 setuptools/40.0.0 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/3.6.5

File hashes

Hashes for pyce-2.0.0.tar.gz
Algorithm Hash digest
SHA256 edb5d4d44ebec0453f76d7930c85c92af2c036b6ecd5d1ad83f6c3213c7be758
MD5 1ddaf7ae13db5f01fd0c551874fe961f
BLAKE2b-256 4ecd9d8d9299e8ad81a0fa0352d242f269a2789228c3976f622c9364ef7e2723

See more details on using hashes here.

File details

Details for the file pyce-2.0.0-py3-none-any.whl.

File metadata

  • Download URL: pyce-2.0.0-py3-none-any.whl
  • Upload date:
  • Size: 9.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.19.1 setuptools/40.0.0 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/3.6.5

File hashes

Hashes for pyce-2.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 3a679de025d444dc66250ed73a52f61ef2930ff595b69ba471d6ba438253f877
MD5 53294a9fb78b48e92f5e96909b08e3f4
BLAKE2b-256 3979cba14351f49d92d9ece1a5d25700808304a13ba7c57c275397ff7945b894

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page