| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 1 | Fernet |
| 2 | ====== |
| 3 | |
| 4 | .. currentmodule:: cryptography.fernet |
| 5 | |
| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 6 | `Fernet`_ is an implementation of symmetric (also known as "secret key") |
| Alex Gaynor | 43307c7 | 2013-11-21 21:50:14 -0800 | [diff] [blame] | 7 | authenticated cryptography. Fernet provides guarantees that a message encrypted |
| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 8 | using it cannot be manipulated or read without the key. |
| 9 | |
| 10 | .. class:: Fernet(key) |
| 11 | |
| 12 | This class provides both encryption and decryption facilities. |
| 13 | |
| 14 | .. doctest:: |
| 15 | |
| 16 | >>> from cryptography.fernet import Fernet |
| Alex Gaynor | 36597b4 | 2013-11-22 10:25:13 -0800 | [diff] [blame^] | 17 | >>> key = Fernet.generate_key() |
| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 18 | >>> f = Fernet(key) |
| 19 | >>> ciphertext = f.encrypt(b"my deep dark secret") |
| Alex Gaynor | de475eb | 2013-10-31 10:35:19 -0700 | [diff] [blame] | 20 | >>> ciphertext |
| 21 | '...' |
| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 22 | >>> f.decrypt(ciphertext) |
| 23 | 'my deep dark secret' |
| 24 | |
| Alex Gaynor | 7a121fc | 2013-11-22 10:18:30 -0800 | [diff] [blame] | 25 | :param bytes key: A URL-safe base64-encoded 32-byte key. This **must** be |
| 26 | kept secret. Anyone with this key is able to create and |
| 27 | read messages. |
| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 28 | |
| Alex Gaynor | 36597b4 | 2013-11-22 10:25:13 -0800 | [diff] [blame^] | 29 | .. classmethod:: generate_key() |
| 30 | |
| 31 | Generates a fresh fernet key. Keep this some place safe! If you lose it |
| 32 | you'll no longer be able to decrypt messages; if anyone else gains |
| 33 | access to it, they'll be able to decrypt all of your messages. |
| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 34 | |
| 35 | .. method:: encrypt(plaintext) |
| 36 | |
| 37 | :param bytes plaintext: The message you would like to encrypt. |
| 38 | :returns bytes: A secure message which cannot be read or altered |
| Alex Gaynor | 7a121fc | 2013-11-22 10:18:30 -0800 | [diff] [blame] | 39 | without the key. It is URL-safe base64-encoded. |
| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 40 | |
| 41 | .. method:: decrypt(ciphertext, ttl=None) |
| 42 | |
| 43 | :param bytes ciphertext: An encrypted message. |
| 44 | :param int ttl: Optionally, the number of seconds old a message may be |
| 45 | for it to be valid. If the message is older than |
| 46 | ``ttl`` seconds (from the time it was originally |
| Alex Gaynor | 13e0d54 | 2013-10-31 10:38:04 -0700 | [diff] [blame] | 47 | created) an exception will be raised. If ``ttl`` is not |
| 48 | provided (or is ``None``), the age of the message is |
| 49 | not considered. |
| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 50 | :returns bytes: The original plaintext. |
| Alex Gaynor | 7a121fc | 2013-11-22 10:18:30 -0800 | [diff] [blame] | 51 | :raises InvalidToken: If the ``ciphertext`` is in any way invalid, this |
| 52 | exception is raised. A ciphertext may be invalid |
| 53 | for a number of reasons: it is older than the |
| 54 | ``ttl``, it is malformed, or it does not have a |
| 55 | valid signature. |
| 56 | |
| 57 | |
| 58 | .. class:: InvalidToken |
| 59 | |
| 60 | See :meth:`Fernet.decrypt` for more information. |
| Alex Gaynor | 333fb10 | 2013-10-31 10:27:35 -0700 | [diff] [blame] | 61 | |
| 62 | |
| 63 | .. _`Fernet`: https://github.com/fernet/spec/ |