Reputation: 364
Creating an encrypted file containing various credentials with Python
I am working on a program, written in Python 3, for work to automate a number of tasks we do. Currently the tasks are each their own program, but I intend to eventually move them all together under a unified interface (thinking of using prompt-toolkit). My current solution for credentials is just a creds.toml file and each of the needed credentials are stored within it:
[db_name]
user = "me"
pass = "changeme!"
What I'd like to do is maintain the dictionary interface my credentials have, but store those passwords in an encrypted file. Eventually I'd like to have it so that credentials are added through my program so no one needs to interact with the program at all. I think this would be the best for users as we have a mix of sysadmin on my team and not all are too comfortable with CLIs and interacting with text files (silly Windows people ;) ).
What would be my best option for this? I am mostly concerned with accidentally viewing one another's credentials more than I am concerned with anything else. This will be used in a NOC so shifts share the same consoles and would have access to one another's file. It's pretty common to have to go into someone else's home dir to grab a script they wrote or to pick up something they didn't complete on their shift.
Ideally my workflow would be:
s_creds = decrypt(file)
creds = pickle.load(s_data)
session = Database(creds['db_name']
And the Database class would contain:
def __init__(self, cred):
...
self.user = cred['user']
self.pass = cred['pass']
...
I had initially thought that the file would be a toml file that was just encrypted. But it would make more sense to skip that and just serialize a dictionary.
Not too concerned with licenses, but I prefer not GPLv3 because of the hoops.
Upvotes: 0
Views: 911
Answers (1)
Reputation: 364
While editing one of the very first utils I created for this project I stumbled upon my initial credential storage method, keyring. This package allows for storing passwords on the local machine's keyring, in memory, or in an encrypted file (with use of another package, keyring.cryptfile). It will require reworking some stuff, though, as the credentials are not in a dictionary, but in an object.
Using keyring works something like:
>> import keyring
>> svc = 'service_name'
>> usr = 'username'
>> pass = 'qwerty'
>> keyring.set_password(svc, usr, pass)
>> credentials = keyring.get_credential(svc, usr)
>> credentials._username
'username'
>> credentials._password
'qwerty'
I will then be able to make this much more secure than even an encrypted textfile, by letting the OS handle the actual handling of the credentials. This seems like a good solution, while I can say "the passwords don't matter, no one will see them other than people who already have access to the same resources" that's wishful thinking and I should be more security minded with the proverbial "keys to the kingdom".
Upvotes: 1
Related Questions
- How to encrypt/decrypt a configuration file in python
- Create encryption and decryption program
- Encrypt and protect file with python
- Encrypting a python(.py) file
- Encrypting/Decrypting file with python
- Encryption with input and output file
- encrypting password in python script
- encryption and writing to file
- File encryption with Python
- Python Script for Encryption and Decryption of files