Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 6d69eab6caff7b87d32fab3c7178296e481eb8a4 / . / docs / fernet.rst
blob: b75be779ae28e26d5c8eb12b6872b88de5bc1571 [file] [log] [blame]
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]1Fernet (symmetric encryption)
Alex Gaynore9083292013-12-17 16:56:29 -0800[diff] [blame]2=============================
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]3
4.. currentmodule:: cryptography.fernet
5
Alex Gaynor681fca82013-12-31 14:13:39 -0800[diff] [blame]6Fernet provides guarantees that a message encrypted using it cannot be
7manipulated or read without the key. `Fernet`_ is an implementation of
8symmetric (also known as "secret key") authenticated cryptography.
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]9
10.. class:: Fernet(key)
11
12 This class provides both encryption and decryption facilities.
13
14 .. doctest::
15
16 >>> from cryptography.fernet import Fernet
Alex Gaynor36597b42013-11-22 10:25:13 -0800[diff] [blame]17 >>> key = Fernet.generate_key()
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]18 >>> f = Fernet(key)
Alex Gaynor0d089632013-12-17 20:23:43 -0800[diff] [blame]19 >>> token = f.encrypt(b"my deep dark secret")
20 >>> token
Alex Gaynorde475eb2013-10-31 10:35:19 -0700[diff] [blame]21 '...'
Alex Gaynor0d089632013-12-17 20:23:43 -0800[diff] [blame]22 >>> f.decrypt(token)
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]23 'my deep dark secret'
24
Alex Gaynor7a121fc2013-11-22 10:18:30 -0800[diff] [blame]25 :param bytes key: A URL-safe base64-encoded 32-byte key. This **must** be
26 kept secret. Anyone with this key is able to create and
27 read messages.
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]28
Alex Gaynor36597b42013-11-22 10:25:13 -0800[diff] [blame]29 .. classmethod:: generate_key()
30
31 Generates a fresh fernet key. Keep this some place safe! If you lose it
32 you'll no longer be able to decrypt messages; if anyone else gains
Alex Gaynor6cf242b2013-12-16 11:17:07 -0800[diff] [blame]33 access to it, they'll be able to decrypt all of your messages, and
Alex Stapleton63b3de22014-02-08 09:43:16 +0000[diff] [blame]34 they'll also be able forge arbitrary messages that will be
Alex Gaynor6cf242b2013-12-16 11:17:07 -0800[diff] [blame]35 authenticated and decrypted.
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]36
Ayrx6d69eab2014-05-17 16:59:31 +0800[diff] [blame^]37 .. method:: encrypt(data)
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]38
Ayrx6d69eab2014-05-17 16:59:31 +0800[diff] [blame^]39 :param bytes data: The message you would like to encrypt.
Alex Stapleton63b3de22014-02-08 09:43:16 +0000[diff] [blame]40 :returns bytes: A secure message that cannot be read or altered
Alex Gaynor0d089632013-12-17 20:23:43 -0800[diff] [blame]41 without the key. It is URL-safe base64-encoded. This is
Alex Gaynor3aa243c2014-01-06 13:13:18 -0800[diff] [blame]42 referred to as a "Fernet token".
Ayrx6d69eab2014-05-17 16:59:31 +0800[diff] [blame^]43 :raises TypeError: This exception is raised if ``data`` is not a binary
44 type. This is ``str`` in Python 2 and ``bytes`` in
45 Python 3.
Alex Gaynor32dc4e42013-12-20 13:26:12 -0800[diff] [blame]46
Alex Gaynor719eb6a2013-12-20 13:35:57 -0800[diff] [blame]47 .. note::
Alex Gaynor32dc4e42013-12-20 13:26:12 -0800[diff] [blame]48
49 The encrypted message contains the current time when it was
50 generated in *plaintext*, the time a message was created will
51 therefore be visible to a possible attacker.
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]52
Alex Gaynor0d089632013-12-17 20:23:43 -0800[diff] [blame]53 .. method:: decrypt(token, ttl=None)
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]54
Alex Gaynor0d089632013-12-17 20:23:43 -0800[diff] [blame]55 :param bytes token: The Fernet token. This is the result of calling
56 :meth:`encrypt`.
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]57 :param int ttl: Optionally, the number of seconds old a message may be
58 for it to be valid. If the message is older than
59 ``ttl`` seconds (from the time it was originally
Alex Gaynor13e0d542013-10-31 10:38:04 -0700[diff] [blame]60 created) an exception will be raised. If ``ttl`` is not
61 provided (or is ``None``), the age of the message is
62 not considered.
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]63 :returns bytes: The original plaintext.
Alex Gaynor719eb6a2013-12-20 13:35:57 -0800[diff] [blame]64 :raises cryptography.fernet.InvalidToken: If the ``token`` is in any
65 way invalid, this exception
66 is raised. A token may be
67 invalid for a number of
68 reasons: it is older than the
69 ``ttl``, it is malformed, or
70 it does not have a valid
71 signature.
Ayrx6d69eab2014-05-17 16:59:31 +0800[diff] [blame^]72 :raises TypeError: This exception is raised if ``token`` is not a binary
73 type. This is ``str`` in Python 2 and ``bytes`` in
74 Python 3.
Alex Gaynor7a121fc2013-11-22 10:18:30 -0800[diff] [blame]75
76
77.. class:: InvalidToken
78
79 See :meth:`Fernet.decrypt` for more information.
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]80
Alex Gaynorb32b4912014-01-23 16:24:13 -0600[diff] [blame]81Implementation
82--------------
83
84Fernet is built on top of a number of standard cryptographic primitives.
85Specifically it uses:
86
87* :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` in
88 :class:`~cryptography.hazmat.primitives.ciphers.modes.CBC` mode with a
89 128-bit key for encryption; using
90 :class:`~cryptography.hazmat.primitives.ciphers.PKCS7` padding.
91* :class:`~cryptography.hazmat.primitives.hmac.HMAC` using
92 :class:`~cryptography.hazmat.primitives.hashes.SHA256` for authentication.
93* Initialization vectors are generated using ``os.urandom()``.
94
95For complete details consult the `specification`_.
96
Alex Gaynor333fb102013-10-31 10:27:35 -0700[diff] [blame]97
98.. _`Fernet`: https://github.com/fernet/spec/
Alex Gaynorb32b4912014-01-23 16:24:13 -0600[diff] [blame]99.. _`specification`: https://github.com/fernet/spec/blob/master/Spec.md