Sign Up

Sign In

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

You must login to ask question.

How to encrypt text with a password in python?

  • 4

Surprisingly difficult to find a straight answer to this on Google.

I’m wanting to collect a piece of text and a message from a user such as 1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc hello world.

Then I want to be able to encrypt/decrypt the message with the text somehow so that I can save it in my database and not worry about the data being exposed if my website gets hacked,
encrypt('1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc', 'hello world')
decrypt('1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc', <encrypted_text>)

Is there a simple way to achieve this with python and please can someone provide/direct me to an example.

Perhaps an example of how to create public/private key pairs using a seed such as '1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc'?

Many thanks in advance 🙂

EDIT: Just to be clear I’m looking for a way to encrypt my users data in a determanistic way not obfuscate the message.

If that means I have to generate a PGP/GPG pub/pri key pair on the fly by using the text 1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc as a seed then that’s fine but what’s the method to do this?

Share

1 Answer

  1. Here’s how to do it properly in CBC mode, including PKCS#7 padding:

    import base64
    from Crypto.Cipher import AES
    from Crypto.Hash import SHA256
    from Crypto import Random
    
    def encrypt(key, source, encode=True):
        key = SHA256.new(key).digest()  # use SHA-256 over our key to get a proper-sized AES key
        IV = Random.new().read(AES.block_size)  # generate IV
        encryptor = AES.new(key, AES.MODE_CBC, IV)
        padding = AES.block_size - len(source) % AES.block_size  # calculate needed padding
        source += bytes([padding]) * padding  # Python 2.x: source += chr(padding) * padding
        data = IV + encryptor.encrypt(source)  # store the IV at the beginning and encrypt
        return base64.b64encode(data).decode("latin-1") if encode else data
    
    def decrypt(key, source, decode=True):
        if decode:
            source = base64.b64decode(source.encode("latin-1"))
        key = SHA256.new(key).digest()  # use SHA-256 over our key to get a proper-sized AES key
        IV = source[:AES.block_size]  # extract the IV from the beginning
        decryptor = AES.new(key, AES.MODE_CBC, IV)
        data = decryptor.decrypt(source[AES.block_size:])  # decrypt
        padding = data[-1]  # pick the padding value from the end; Python 2.x: ord(data[-1])
        if data[-padding:] != bytes([padding]) * padding:  # Python 2.x: chr(padding) * padding
            raise ValueError("Invalid padding...")
        return data[:-padding]  # remove the padding
    

    It’s set to work with bytes data, so if you want to encrypt strings or use string passwords make sure you encode() them with a proper codec before passing them to the methods. If you leave the encode parameter to True the encrypt() output will be base64 encoded string, and decrypt() source should be also base64 string.

    Now if you test it as:

    my_password = b"secret_AES_key_string_to_encrypt/decrypt_with"
    my_data = b"input_string_to_encrypt/decrypt"
    
    print("key:  {}".format(my_password))
    print("data: {}".format(my_data))
    encrypted = encrypt(my_password, my_data)
    print("\nenc:  {}".format(encrypted))
    decrypted = decrypt(my_password, encrypted)
    print("dec:  {}".format(decrypted))
    print("\ndata match: {}".format(my_data == decrypted))
    print("\nSecond round....")
    encrypted = encrypt(my_password, my_data)
    print("\nenc:  {}".format(encrypted))
    decrypted = decrypt(my_password, encrypted)
    print("dec:  {}".format(decrypted))
    print("\ndata match: {}".format(my_data == decrypted))
    

    your output would be similar to:

    key:  b'secret_AES_key_string_to_encrypt/decrypt_with'
    data: b'input_string_to_encrypt/decrypt'
    
    enc:  7roSO+P/4eYdyhCbZmraVfc305g5P8VhDBOUDGrXmHw8h5ISsS3aPTGfsTSqn9f5
    dec:  b'input_string_to_encrypt/decrypt'
    
    data match: True
    
    Second round....
    
    enc:  BQm8FeoPx1H+bztlZJYZH9foI+IKAorCXRsMjbiYQkqLWbGU3NU50OsR+L9Nuqm6
    dec:  b'input_string_to_encrypt/decrypt'
    
    data match: True
    

    Proving that same key and same data still produce different ciphertext each time.

    Now, this is much better than ECB but… if you’re going to use this for communication – don’t! This is more to explain how it should be constructed, not really to be used in a production environment and especially not for communication as its missing a crucial ingredient – message authentication. Feel free to play with it, but you should not roll your own crypto, there are well vetted protocols that will help you avoid the common pitfalls and you should use those.

    • 0
Leave an answer

Leave an answer

Browse

close