[Noisebridge-discuss] pip install secureconfig (actual hacking!)
Naomi Most
pnaomi at gmail.com
Tue Apr 22 06:22:38 UTC 2014
Hi everybody,
I made a library called secureconfig for python and pushed its first
minor release version earlier today.
https://pypi.python.org/pypi/secureconfig
https://bitbucket.org/nthmost/python-secureconfig
secureconfig provides interfaces to (currently 3) data structures,
including the .ini style data people like to use the configparser
class with. You can encrypt/decrypt using keys stored in environment
variables, files, or strings.
There's also a nifty class called SecureString that automatically
zeroes its string data after garbage collection or if you explicitly
call the "burn" method. So if you're really paranoid you can do this:
scfg = SecureConfigParser.from_env(NAME_OF_ENV)
scfg.read('/path/to/config.ini')
password = SecureString(scfg.get('credentials', 'password'))
cnxn = ConnectToSomething(password)
# overwrite string data with zeroes:
password.burn()
You can easily recover plaintext data from a memory dump with root
access, so the burn function is handy if you don't completely trust
everyone you've ever given sudo to.
The encryption used is the so-called Fernet protocol -- AES-128 CBC
via https://cryptography.io
This is the first time I've ever made a library that makes claims
about "security", and I want to make sure it gets picked apart
appropriately. So feel free to critique code and documentation here.
Or just let me know if you try it out!
Cheers,
Naomi
--
Naomi Theora Most
naomi at nthmost.com
+1-415-728-7490
skype: nthmost
http://twitter.com/nthmost
More information about the Noisebridge-discuss
mailing list