Skip to main content

SecondGuard Python Library

Project description

SecondGuard Python Client Library

Quickstart

Install from PyPI:

$ pip3 install --upgrade secondguard

Encrypt using the testing API token and testing RSA pubkey (no account needed):

from secondguard import sg_hybrid_encrypt, sg_hybrid_decrypt

your_secret = b"attack at dawn!"

# Testing credentials/pubkey (normally saved in your app's config):
API_TOKEN = 'SG-XXXX'
YOUR_PUBKEY = '''-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxY9sgHqrHRkfppnOJACr\nhwYxHP4d/OUUzbTiNFfcFoCyCUCL6dnLql1WPfaUyYWeLEQ4NTFI9Nfdy9tka6ZO\n75V3LCW5l2TMkbb0BvWnAcIK3lMY19kfFyImAoLvcZcAevi0ogkOn20zDrxVhlpv\nQAu3OMCQmc1aMgv6pp1FO4v3OjiXNp1AQQw8CIHnQzlLmGSMeUK1hdCcSGXq5qLA\nXrKwdkA8K6gDi67A43ZcWzew1KF8OwtA2WyLRfbzGaXqqq2pLNcrt90v64azkk+Q\nn8JTJym7k30Jv7zbhsGR08dvk6zn7TrNMn1TsIwflDFGSpzSCAQcz1gR+0GiwGvk\nqQkKeNhTAUHOdf7IONEpmZ+46O4uUmtAXu5lI0D5dPtl2M5ZtAjxRMvXX65QeNd7\nMwcoXy5LaUMnDVl8Sq8OL8dj8PMKiqO7m/yMuMfXgEd9EcdzFt80rRUCH3/H3+MT\nQMZdlbNASA5d//MOxERsb1ildEyfTQpSWvyeGIpCCtPmq3yJbKat95RTUX4uJPLi\nKFCifkVhirl+XxdDK6L0gly0kZEW41qyKZL+++5M6NalsBsMr5AFAUF0Ws4E+aWf\n6Zm8FDi6G4ZpAmVpP6bmqY+GoTFBQKXezICAwsJ6Dhy8UUHxDRQIiNTSLVnO5wgR\ncRfaU/jG6gorIFQvw8mw2hcCAwEAAQ==\n-----END PUBLIC KEY-----\n'''

# Encrypt locally (symmetrically and asymmetrically) and save the results to your DB:
local_ciphertext, sg_recovery_instructions = sg_hybrid_encrypt(
    to_encrypt=your_secret,
    rsa_pubkey=YOUR_PUBKEY, 
)

# Asymmetrically decrypt sg_recovery_instructions (via SecondGuard API) and use it to symmetrically decrypt local_ciphertext: 
secret_recovered, rate_limit_info = sg_hybrid_decrypt( 
    local_ciphertext_to_decrypt=local_ciphertext, 
    sg_recovery_instructions=sg_recovery_instructions,
    api_token=API_TOKEN,
)

if your_secret == secret_recovered:
    print("Your secret was recovered: %s" % secret_recovered)

See test_client.py to see how the protocol works.

Audit Log

For audit logging of decryption requests, we recommend storing the sha256 hash digest of the sg_recovery_instructions (base64 decoded) in an indexed column of your database. This makes it easy to see which records have been decrypted if your servers are breached. See the sg_hybrid_encrypt_with_auditlog() method with test coverage in test_client.py.


Under the Hood

Pull requests with test coverage are welcome!

Check out the code:

$ git checkout git@github.com:secondguard/secondguard-python.git && cd secondguard-python.git

Create & activate a virtual environment, install dependencies & this library

$ python3 -m virtualenv .venv3 && source .venv3/bin/activate && pip3 install -r requirements.txt && pip3 install --editable .

Run tests (running tests requires having previously intalled an --editable local version of this repo):

$ pytest -v
====================================== test session starts =======================================
platform darwin -- Python 3.7.8, pytest-5.4.3, py-1.9.0, pluggy-0.13.1 -- /Users/mflaxman/workspace/secondguard-python/.venv3/bin/python
cachedir: .pytest_cache
rootdir: /Users/mflaxman/workspace/secondguard-python
collected 3 items                                                                                

tests/test_client.py::test_sg_hybrid_encryption_and_decryption PASSED                      [ 33%]
tests/test_pyca.py::test_symmetric PASSED                                                  [ 66%]
tests/test_pyca.py::test_asymmetric PASSED                                                 [100%]

======================================= 3 passed in 0.39s ========================================

To update requirements.txt change requirements.in and then run (requires pip-tools):

$ pip-compile requirements.in

How these INSECURE testing RSA keys were created:

$ openssl genrsa -out insecureprivkey.pem 4096 && openssl rsa -in insecureprivkey.pem -pubout -out insecurepubkey.crt

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for secondguard, version 2.5.1
Filename, size File type Python version Upload date Hashes
Filename, size secondguard-2.5.1-py3-none-any.whl (11.9 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size secondguard-2.5.1.tar.gz (7.5 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page