How to encrypt/decrypt a configuration file in python

Question

I have a python application which read a configuration file. I need to encrypt the configuration file so it's not plain on disk. Then I need to decrypt it in my app and read the values. I see there is one library Secureconfig but it's only for python 2. Is there a similar lib in python that can help me do that?

Answer 1

thanks for configparser_crypt

i would like to convert an existing uncrypted ini to a crypted .ini and so the reverse, take a crypted .ini and save it as decrypted .ini

something like

conf_file.aes_key = my_previously_backed_up_aes_key
conf_file.cryptfile('original.ini', 'crypted.ini')
conf_file.decryptfile('crypted.ini', 'original.ini')

EDIT: thanks to the author who saw my comment and updated the documenation at github. thanks much, david

Answer 2

Going to dig this thread up a bit. I've written a ConfigParser inherited class that adds AES-256 symmetric encryption to ConfigParser config files. The class itself aswell as it's underlying crypto are already in production for a couple of projects, and are well tested.

Usage is quite like ConfigParser, except that you use an AES key and write binary files instead of text.

Install with pip install configparser_crypt

How to create an encrypted ini file using ConfigParserCrypt

from confiparser_crypt import ConfigParserCrypt

file = 'config.encrypted'
conf_file = ConfigParsercrypt()

# Create new AES key
conf_file.generate_key()
# Don't forget to backup your key somewhere
aes_key = conf_file.aes_key

# Use like normal configparser class
conf_file.add_section('TEST')
conf_file['TEST']['foo'] = 'bar'

# Write encrypted config file
with open(file, 'wb') as file_handle:
    conf_file.write_encrypted(file_handle)

How to read an encrypted ini file

from confiparser_crypt import ConfigParserCrypt

file = 'config.encrypted'
conf_file = ConfigParsercrypt()

# Set AES key
conf_file.aes_key = my_previously_backed_up_aes_key

# Read encrypted config file
conf_file.read_encrypted(file)
print(conf_file['TEST']['foo'])

Answer 3

@H.Z. - as Ivan pointed out, there are a number of options depending on the level of security you want.

I am working on a similar project to what you are describing and I am using the cryptogrophay library (https://cryptography.io/en/latest/)

You can install this using pip easily.

I am using this in a one step process to encrypt my config file - then have a separate script to decrypt in my main Python file. The decrypt script will have the key generated from the encryption script in it.

Hope this info helps if you haven't solved this already.

Answer 4

Since your program will have to contain the decryption key, you won't be able to protect the data from a determined user, only make decrypting it somewhat harder.

As per Cryptographic Services — Python 3.7.3 documentation, Python doesn't include any true ciphers out of the box. Only codecs have Caesar's cipher and standard encodings that mangle the data recoverably like UUEncode and Base64.

So if the above isn't good enough for you, you need to either implement a symmetric cipher yourself or use a library. See e.g. Python AES encryption without extra module.

Since true security is not possible here, the way to go depending on how hard you want to make it for a hacking user would be security through obscurity: use nonstandard ciphers, don't decrypt all the file at once, make many different place where the encryption/decryption takes place, use obfuscated code, add hidden checksums to protect from tampering, use bits of data outside the file stored in other, unexpected places etc.

If you are just interested in making the file unintelligible for a casual user, something like Base64 combined with XOR cipher will already make the data completely unintelligible when viewed with a text editor.