[Noisebridge-discuss] pip install secureconfig (actual hacking!)

[Naomi Most]

Hi everybody,

I made a library called secureconfig for python and pushed its first
minor release version earlier today.

https://pypi.python.org/pypi/secureconfig

https://bitbucket.org/nthmost/python-secureconfig


secureconfig provides interfaces to (currently 3) data structures,
including the .ini style data people like to use the configparser
class with.  You can encrypt/decrypt using keys stored in environment
variables, files, or strings.

There's also a nifty class called SecureString that automatically
zeroes its string data after garbage collection or if you explicitly
call the "burn" method.  So if you're really paranoid you can do this:

scfg = SecureConfigParser.from_env(NAME_OF_ENV)
scfg.read('/path/to/config.ini')

password = SecureString(scfg.get('credentials', 'password'))

cnxn = ConnectToSomething(password)

# overwrite string data with zeroes:
password.burn()


You can easily recover plaintext data from a memory dump with root
access, so the burn function is handy if you don't completely trust
everyone you've ever given sudo to.

The encryption used is the so-called Fernet protocol -- AES-128 CBC
via https://cryptography.io

This is the first time I've ever made a library that makes claims
about "security", and I want to make sure it gets picked apart
appropriately.  So feel free to critique code and documentation here.

Or just let me know if you try it out!

Cheers,
Naomi


-- 
Naomi Theora Most
naomi at nthmost.com
+1-415-728-7490

skype: nthmost

http://twitter.com/nthmost