a Python library for salty encryption and decryption of files and directories
Project description
SCryptoPy
Salted Crypto Python library. Allows to encrypt and decrypt files and directories using popular cryptographic algorithms with salty passphrases.
Purpose
This library allows to securely encrypt and decrypt files and directories, using different passphrase for each encrypted item. The idea is to use just one file (keyfile) for encryption and decryption, but different passphrases are used for each encrypted item internally. One of the possible applications is an encryption of the backup that is uploaded to publically available cloud services (like Dropbox, Google Drive, OneDrive). This library also provides CLI (command-line interface).
Keyfiles
Structure (technical details)
Keyfile should describe an object with the following parameters:
- keys is an array of keys. Should contain at least one element. Each element has the following format:
- key is an array of encryption stages:
- stage is an object with the following parameters:
- algorithm is a name of encoding algorithm (see supported encryption algorithms);
- passphrase_template is a passphrase template (see salts and passphrases);
- num_salts is a number of the used salts. Although all the salts are generated and stored for each file, passphrase template might use any subset of them (see salts and passphrases). Should be less than 256;
- stage is an object with the following parameters:
- key is an array of encryption stages:
- data_key_index is an index of key in keys that is going to be used for data encryption;
- filename_key_index is an index of element in keys that is going to be used for filename encryption;
- dirname_key_index is an index of element in keys that is going to be used for directory name encryption.
Array indices always start with 0. Note that indices for data, filename and dirname are not required to be different from each other.
Example
Keyfiles are represented as json files. Note: passphrase templates used here are just examples. Do not use them in your own keyfiles!
{
'keys':
[
[
{
'algorithm': 'TWOFISH',
'passphrase_template': 'WYGkxg4s4rzxj{salt1}qwsYrP8G{salt0}BaxNxGnUh',
'num_salts': 2
},
{
'algorithm': 'AES256',
'passphrase_template': 'pvOKLChPDN{salt4}iD6sPqGo7dUdbshYgh7',
'num_salts': 5
},
{
'algorithm': 'AES256',
'passphrase_template': 'yaWgfEnF17vmkzr0s6d{salt4}W0uKami485Z',
'num_salts': 7
}
],
[
{
'algorithm': 'AES256',
'passphrase_template': 'voS8tfqiSvsulLSh5xfaBssx1p80GF',
'num_salts': 0
}
],
[
{
'algorithm': 'AES256',
'passphrase_template': 'Wth4Oco2518uiEp{salt3}Ykn2Cfts80mj5Qo',
'num_salts': 5
}
]
],
'data_key_index': 0,
'filename_key_index': 2,
'dirname_key_index': 1
}
Encryption details
Supported encryption algorithms
This tool uses gpg internally. Check Cipher section of gpg --version to see which symmetric cipher algorithms are supported. E.g., in version 2.2.32, the following algorithms are listed: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256.
Encryption
Data is encrypted in several stages. If encryption key specified in keyfile has more than one stage, data is encrypted using keys consecutively: first, data is encrypted using the first stage key. Then, new encrypted data is encrypted using the second stage key. The process goes on until there are no more stages left. Decryption works in the same way, but in reversed order.
Salts and passphrases
Ideally, passphrases should be unique for each file. This library achieves this by using salts. Salts are generated randomly for each file (number of salts should be specified) and are used to replace {salt[X]} structures in passphrase templates, where [X] is a salt index (array indices start from 0). Note that passphrase template might use any subset of salts, even though all of them are generated and stored in each encrypted file (see encrypted file structure).
Let's consider an example. Imagine the following stage: {'algorithm': 'TWOFISH', 'passphrase_template': 'something{salt1}else{salt3}here', 'num_salts': 5}. If randomly generated salts for some file are ['banana', 'pineapple', 'grape', 'orange', 'grape'], then the passphrase is somethingpineappleelseorangehere.
Hashes
Comparison of an encrypted file to an unencrypted one might take long time, because it requires decryption. To speed it up, the tool uses hashes. Encrypted file contains hash of its encrypted content, which can be accessed without decryption directly. Then, only hash of unencrypted file should be calculated to compare. In the current version, only SHA-256 is supported.
Filename encryption
The tool uses random urlsafe strings of length 32 as file names of encrypted files. Encrypted files contain their corresponding original names internally, also encrypted. Since original filenames should be decrypted for file comparison, one might want to use a faster encryption for that purpose (faster algorithms or less number of used algorithms).
Encrypted file structure
The following tables constitute a formal description of the encrypted file format.
| ENCRYPTED_FILE | |
|---|---|
| PREFIX | "SCryptoPy", ASCII marker |
| FORMAT_VERSION | One byte format version. Now only 0x00 is supported. |
| CONTENT_BLOCK* | Zero or more content blocks |
| CONTENT_BLOCK | |
|---|---|
| BLOCK_TYPE | One byte block type marker |
| BLOCK_LENGTH | One or more bytes that encode length of CONTENT_DATA block. Each byte encodes 7 bit of information. The last byte should start with bit 0, all the others should start with bit 1. E.g., length 15 is 0b00001111 and represented as one byte 0x0F (0b00001111), length 255 is 0b11111111 and represented as two bytes 0x81 0x7F (0b10000001 0b01111111). |
| CONTENT_DATA | Contains data that corresponds to BLOCK_TYPE. Should have BLOCK_LENGTH length. |
One byte block type marker can have one of the following values:
00: filename;01: directory name;03-FD: reserved;FE: SHA-256 hash;FF: data.
| CONTENT_DATA (for filename BLOCK_TYPE) | |
|---|---|
| ENCRYPTED_CONTENT | Encrypted original filename |
| CONTENT_DATA (for directory name BLOCK_TYPE) | |
|---|---|
| ENCRYPTED_CONTENT | Encrypted directory name |
| CONTENT_DATA (for hash BLOCK_TYPE) | |
|---|---|
| DATA | Unencrypted hash of the encrypted data |
| CONTENT_DATA (for data BLOCK_TYPE) | |
|---|---|
| ENCRYPTED_CONTENT | Encrypted data |
| ENCRYPTED_CONTENT | |
|---|---|
| SALT* | Zero or more salts |
| ENCRYPTED_DATA | Encrypted data |
| SALT | |
|---|---|
| RANDOM_SALT | Random salt in binary format |
| ZERO_BYTE | Zero byte 0x00 |
Encrypted directory structure
If directories are encrypted, then random urlsafe strings of length 32 are used as names of encrypted directories. Each encrypted directory contains __index__ file with encrypted original directory name. If directories are not encrypted, names of encrypted directories are the same as unencrypted and no index file needed.
CLI usage
SCryptoPy is composed of multiple commands, similar to git.
Common arguments
-v, --verbose- Enable verbose debug output-y, --yes- Do not ask for confirmation-p, --print_arguments- Print arguments and exit the script-ded, --no_encrypt_dirnames- Do not encrypt directory names
encrypt arguments
scryptopy [-v] [-p] [-ded] encrypt INPUT OUTPUT KEYFILE [-s] [-dc]
INPUT- Input file or directory to encryptOUTPUT- Output file or directory to place the encrypted filesKEYFILE- Path to the keyfile-s, --sync- Synchronize input and output. Any files in output that do not have corresponding inputs are removed-dc, --double_check- Double check the encryption. Takes a little bit more time, but ensures that encrypted files can be decrypted and are identical to the corresponding input files
decrypt arguments
scryptopy [-v] [-p] [-ded] decrypt INPUT OUTPUT KEYFILE [-s]
INPUT- Input file or directory to decryptOUTPUT- Output file or directory to place the decrypted filesKEYFILE- Path to the keyfile-s, --sync- Synchronize input and output. Any files in output that do not have corresponding inputs are removed
check arguments
scryptopy [-v] [-p] [-ded] check UNENCRYPTED ENCRYPTED KEYFILE
UNENCRYPTED- Unencrypted file or directoryENCRYPTED- Encrypted file or directoryKEYFILE- Path to the keyfile
Contribution
Ways to contribute:
- Suggest a feature
- Report a bug
- Fix something and open a pull request
- Spread the word
Authors
Developed with passion by Klim Drobnyh.
License
Copyright © 2021 Klim Drobnyh.
All code is licensed under the GPL, v3 or later. See LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file scryptopy-0.12.1.tar.gz.
File metadata
- Download URL: scryptopy-0.12.1.tar.gz
- Upload date:
- Size: 27.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/3.10.0 pkginfo/1.7.1 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.8.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 4ea1345e2347d7d2bb0ef7d671096532e417fafeedc1f0ab91b4c8db4c172f72 |
|
| MD5 | 3d465de0dcd1e9854d36a55e25eb675a |
|
| BLAKE2b-256 | 55e938be364a6c3a181bda3823e4bec4f77a392262f5f4daa21f3cc7d6ebebd9 |
File details
Details for the file scryptopy-0.12.1-py3-none-any.whl.
File metadata
- Download URL: scryptopy-0.12.1-py3-none-any.whl
- Upload date:
- Size: 24.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/3.10.0 pkginfo/1.7.1 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.8.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f089a57fe48e7b4866cecb1ab2eb93322ca8b2612148dd1a3f06f207f611209b |
|
| MD5 | ca8a0afc24ad5750deb577e9f079370c |
|
| BLAKE2b-256 | 06ced0f63ab9f20b3b9f0af23dda6f58f34b5d4274f1216143281341cc4fa1c0 |
