1. Krptn
Please have a look at our homepage for an overview of the project. Here we only host documentation.
Quick Install:
pip install krptn
Note: we don’t have pre-built extensions for all platforms. Please see the installation section in this documentation for more info.
If after reading this, you like our project, please consider staring on GitHub!
1.1. What problem do we solve?
We all love Django and other web frameworks! However, their primary focus is creating websites - not implementing secure storage for user data. Django makes it easy to store data. While it hashes the password, it does not encrypt user data for you. In case of a data breach, malicious actors could access any data from the DB. Encryption is left to the developer…
Wouldn’t it be nice if encryption would also be handled? Perhaps it could be handled in a way that keys are derived from credentials, such that, without the user entering credentials, not even the database administrator can read it?! This is exactly what we do!
Krptn also runs in the same server instance as your web app. So you don’t have to host anything new. Just install the extension for Python.
To prove that such is possible, we have a Flask and Django example on GitHub.
1.2. What is this?
A user authentication and access management system (IAM) with data encryption at rest derived from credentials. It is available as a Python extension module. We, however, have certain limitations.
How do we achieve this?
All data is encrypted (any data can be requested by the developer to be secured)
Only the appropriate users’ credentials can unlock the cryptosystem (this protects you from server-side attacks)
This gives you security from encryption without ever needing to even notice it! It protects you from server side attacks.
1.3. Features
Secure Storage of Data
User Authentication
Uses OpenSSL 3 backend
Secure memory wiping (except on PyPy)
FIDO Passwordless
Integration with popular web frameworks
1.3.1. Example usage of the Crypto Class
We have more sophisticated user authentication available also.
1from krypton import basic
2# Create an instance of Crypto - a class for encrypting and storing sensitive data.
3myCrypto = basic.Crypto()
4pwd = "Perhaps provided by the user"
5# It supports C.R.U.D. operations:
6id = myCrypto.secureCreate("Example data", pwd) #id is an integer
7print("The data is:")
8print(myCrypto.secureRead(id, pwd)) # prints Example data
1.4. Installation
Recommended: install using PIP:
pip install krptn
Because we do not have pre-built extensions for all platforms, you may need to build from source.
1.5. User Auth
See User Auth.
To use FIDO/WebAuthn with User Auth, please see Krptn’s FIDO Documentation.
1.6. Integration with web frameworks
1.7. Crypto Class
Crypto Class is availble. Though you would typically use the User Auth API as it is higher level and more advanced.
1.8. Key Management System
Though you would typically use the User Auth API, for simple and lower level activities, this module uses a custom Key Management System for symmetric encryption keys. See KMS for more information.
Note: we have considered using HSM as a key management system. We, however, have decided that we will not integrate HSMs because it would be difficult to maintain encryption derived from user credentials.
Of course, all data is securely encrypted even if it is not via an HSM!
If you want, you can encrypt the SQL database using HSM managed keys for additional security.
1.9. Use custom databases
Here is an example of how to set the database to be used:
1import krypton
2krypton.configs.SQLDefaultCryptoDBpath = "sqlite+pysqlite:///Path/example.db"
3krypton.configs.SQLDefaultKeyDBpath = "sqlite+pysqlite:///Path/key.db"
To see what these settings strings should contain please see Databases