Encryption and Hashing Models for Pydantic

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for julien777z from gravatar.com julien777z

Unverified details

These details have not been verified by PyPI
Meta
  • Author: Julien Kmec
  • Requires: Python <3.15, >=3.11
  • Provides-Extra: all , aws , dev , evervault , sqlalchemy
Classifiers
Report project as malware

Project description

Encryption and Hashing Models for Pydantic

Field-level encryption, decryption, hashing, and blind indexing for Pydantic models with SQLAlchemy integration.

Installation

pip install pydantic_encryption

Optional extras

pip install "pydantic_encryption[sqlalchemy]"  # SQLAlchemy integration
pip install "pydantic_encryption[aws]"          # AWS KMS encryption
pip install "pydantic_encryption[all]"          # All optional dependencies

Quick Start

from typing import Annotated
from pydantic_encryption import BaseModel, Encrypt, Hash

class User(BaseModel):
    name: str
    address: Annotated[bytes, Encrypt]
    password: Annotated[bytes, Hash]

user = User(name="John Doe", address="123456", password="secret123")

print(user.name)      # plaintext
print(user.address)   # encrypted
print(user.password)  # hashed

Fields marked with Encrypt are encrypted and fields marked with Hash are hashed during model initialization.

To decrypt, use the Decrypt annotation:

from pydantic_encryption import Decrypt, BaseModel

class UserResponse(BaseModel):
    address: Annotated[str, Decrypt]

user = UserResponse(address=encrypted_bytes)
print(user.address)  # decrypted

Encryption Methods

Set the encryption method via environment variable:

ENCRYPTION_METHOD=fernet   # Fernet symmetric encryption (requires ENCRYPTION_KEY)
ENCRYPTION_METHOD=aws      # AWS KMS (requires AWS_KMS_KEY_ARN, AWS_KMS_REGION, etc.)
ENCRYPTION_METHOD=evervault # Evervault

There is no default — you must explicitly set ENCRYPTION_METHOD if using Encrypt/Decrypt fields.

Fernet Setup

# Generate a key
openssl rand -base64 32

# Set environment variables
ENCRYPTION_METHOD=fernet
ENCRYPTION_KEY=your_generated_key

AWS KMS Setup

ENCRYPTION_METHOD=aws
AWS_KMS_KEY_ARN=arn:aws:kms:us-east-1:123456789:key/your-key-id
AWS_KMS_REGION=us-east-1
AWS_KMS_ACCESS_KEY_ID=your_access_key
AWS_KMS_SECRET_ACCESS_KEY=your_secret_key

Separate encrypt/decrypt keys are supported for key rotation or read-only scenarios:

AWS_KMS_ENCRYPT_KEY_ARN=arn:aws:kms:...encrypt-key
AWS_KMS_DECRYPT_KEY_ARN=arn:aws:kms:...decrypt-key

See config.py for all environment variables.

SQLAlchemy Integration

Install with pip install "pydantic_encryption[sqlalchemy]".

from sqlalchemy import create_engine
from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column, Session

from pydantic_encryption.integrations.sqlalchemy import (
    SQLAlchemyEncryptedValue,
    SQLAlchemyHashed,
    SQLAlchemyBlindIndexValue,
)
from pydantic_encryption.types import BlindIndexMethod


class Base(DeclarativeBase):
    pass


class User(Base):
    __tablename__ = "users"

    id: Mapped[int] = mapped_column(primary_key=True)
    username: Mapped[str]
    email: Mapped[bytes] = mapped_column(SQLAlchemyEncryptedValue())
    password: Mapped[bytes] = mapped_column(SQLAlchemyHashed())
    blind_index_email: Mapped[bytes] = mapped_column(
        SQLAlchemyBlindIndexValue(BlindIndexMethod.HMAC_SHA256)
    )


engine = create_engine("sqlite:///:memory:")
Base.metadata.create_all(engine)

with Session(engine) as session:
    user = User(
        username="john",
        email="john@example.com",
        password="secret123",
        blind_index_email="john@example.com",
    )
    session.add(user)
    session.commit()

    # Query by blind index — automatically hashed
    found = session.query(User).filter(
        User.blind_index_email == "john@example.com"
    ).first()
    print(found.email)  # decrypted

SQLAlchemyBlindIndexValue supports the same normalization options as BlindIndex:

blind_index_email: Mapped[bytes] = mapped_column(
    SQLAlchemyBlindIndexValue(
        BlindIndexMethod.HMAC_SHA256,
        normalize_to_lowercase=True,
        strip_whitespace=True,
    )
)

Supported Types

SQLAlchemyEncryptedValue preserves the Python type of your data:

str, bytes, bool, int, float, Decimal, UUID, date, datetime, time, timedelta

Array Support (PostgreSQL)

from pydantic_encryption.integrations.sqlalchemy import SQLAlchemyPGEncryptedArray

tags: Mapped[list[str] | None] = mapped_column(SQLAlchemyPGEncryptedArray(), nullable=True)

Each element is individually encrypted. Requires PostgreSQL.

Blind Indexes

Blind indexes enable equality searches on encrypted data by storing a deterministic keyed hash alongside the ciphertext.

Configuration: Set BLIND_INDEX_SECRET_KEY via environment variable.

Pydantic Models

from typing import Annotated
from pydantic_encryption import BaseModel, BlindIndex, BlindIndexMethod

class User(BaseModel):
    email_index: Annotated[bytes, BlindIndex(BlindIndexMethod.HMAC_SHA256)]

Normalization

You can normalize values before hashing to ensure consistent lookups:

email_index: Annotated[bytes, BlindIndex(
    BlindIndexMethod.HMAC_SHA256,
    normalize_to_lowercase=True,
    strip_whitespace=True,
)]

Available options:

Option Effect
strip_whitespace Strip leading/trailing whitespace, collapse internal whitespace
strip_non_characters Remove all non-letter characters (keep only a-zA-Z)
strip_non_digits Remove all non-digit characters (keep only 0-9)
normalize_to_lowercase Convert to lowercase
normalize_to_uppercase Convert to uppercase

Methods

Method Description
BlindIndexMethod.HMAC_SHA256 Fast HMAC-SHA256 keyed hash. Standard choice.
BlindIndexMethod.ARGON2 Memory-hard Argon2 hash with deterministic salt. Better brute-force resistance.

Disable Auto-Processing

class UserResponse(BaseModel, disable=True):
    address: Annotated[bytes, Encrypt]

user = UserResponse(address="123 Main St")
user.encrypt_data()  # manual encryption

Custom Encryption or Hashing

Subclass SecureModel to implement your own logic:

from pydantic import BaseModel as PydanticBaseModel
from pydantic_encryption import SecureModel

class MySecureModel(PydanticBaseModel, SecureModel):
    def encrypt_data(self) -> None:
        # your encryption logic
        pass

    def model_post_init(self, context, /):
        self.default_post_init()
        super().model_post_init(context)

Generics

from pydantic_encryption import BaseModel

class MyModel[T](BaseModel):
    value: T

model = MyModel[str](value="Hello")
print(model.get_type())  # <class 'str'>

Run Tests

poetry install --all-extras
poetry run pytest -v

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for julien777z from gravatar.com julien777z

Unverified details

These details have not been verified by PyPI
Meta
  • Author: Julien Kmec
  • Requires: Python <3.15, >=3.11
  • Provides-Extra: all , aws , dev , evervault , sqlalchemy
Classifiers

Release history Release notifications | RSS feed

0.11.0

0.10.1

0.10.0

0.9.7

0.9.6

0.9.5

0.9.4

0.9.2

0.9.0

0.8.0

0.7.0

0.5.1

This version

0.5.0

0.4.0

0.3.2

0.3.1

0.3.0

0.2.0

0.1.3

0.1.2

0.1.1

0.1.0

0.0.4

0.0.3

0.0.2

0.0.2a11 pre-release

0.0.2a10 pre-release

0.0.2a9 pre-release

0.0.2a8 pre-release

0.0.2a7 pre-release

0.0.2a6 pre-release

0.0.2a5 pre-release

0.0.2a4 pre-release

0.0.2a3 pre-release

0.0.2a2 pre-release

0.0.2a1 pre-release

0.0.2a0 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pydantic_encryption-0.5.0.tar.gz (14.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pydantic_encryption-0.5.0-py3-none-any.whl (22.6 kB view details)

Uploaded Python 3

File details

Details for the file pydantic_encryption-0.5.0.tar.gz.

File metadata

  • Download URL: pydantic_encryption-0.5.0.tar.gz
  • Upload date:
  • Size: 14.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pydantic_encryption-0.5.0.tar.gz
Algorithm Hash digest
SHA256 10b2bea5216a7a513dcfab8b137522d9a32d6f87104d93ee1f403028f19dda00
MD5 3101f506695e13b758857532204cd2c8
BLAKE2b-256 b303960a27e608ebd0466a54f4b07a5d5ae4f1d02644913541639258bf621660

See more details on using hashes here.

Provenance

The following attestation bundles were made for pydantic_encryption-0.5.0.tar.gz:

Publisher: publish-to-pypi.yml on julien777z/pydantic-encryption

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pydantic_encryption-0.5.0-py3-none-any.whl.

File metadata

File hashes

Hashes for pydantic_encryption-0.5.0-py3-none-any.whl
Algorithm Hash digest
SHA256 82b0482d55d5ae35ceaf063afc3495cafc25d2a90be29e107d590202d5cd95d9
MD5 92741419cb6bd5bd703ed5738385cbfb
BLAKE2b-256 1684025b813dfbb38ee1452aa01dc4a41081e32d9649452933debfc5fdd0f720

See more details on using hashes here.

Provenance

The following attestation bundles were made for pydantic_encryption-0.5.0-py3-none-any.whl:

Publisher: publish-to-pypi.yml on julien777z/pydantic-encryption

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page