Comments (7)
blag
commented on June 5, 2024
1
As of Django 4.1, Django use a SECRET_KEY_FALLBACKS setting, which is used to rotate secret keys. If users use that properly, this project should be able to use that instead of DJANGO_FERNET_FIELD_ENCRYPTION_KEYS.
from django-fernet-encrypted-fields.
hendrikschneider
commented on June 5, 2024
So, I found the issue. The secret key as well as the salt_keys are both used for encryption. A secret key is something that can be rotated from time to time, which leads to not decryptable entries in the db.
What I would propose is, to add a new section to the settings like DJANGO_FERNET_FIELD_ENCRYPTION_KEYS = ['key1', 'key2', ...], which will be used together with the salt to encrypt/decrypt data. If this setting is not used, the secret key can still be used to also keep the module backwards compatible.
@frgmt What do you think about this?
from django-fernet-encrypted-fields.
naohide
commented on June 5, 2024
@StevenMapes Do you know why this happens?
from django-fernet-encrypted-fields.
StevenMapes
commented on June 5, 2024
@StevenMapes Do you know why this happens?
For the reason @hendrikschneider has said, it's used in the function. I hadn't noticed it before and I'd agree about changing it to use another value first and then falling back to the secret key that way it could be rotated much like how I changed this project to allow for salt rotation. What we may want to do though I'd to limit it to a maximum of two values effectively old and new as otherwise if you had 6 salts and 6 keys it would produce 36 potential attempts to decrypt which runs the risk of becoming slow. Or perhaps leaving or open and having a warning on the docs.
from django-fernet-encrypted-fields.
hendrikschneider
commented on June 5, 2024
@StevenMapes @naohide I think limiting is a good idea. Actually, only two keys are needed to support key rotation and it would offer a clear way to document how to rotate the encryption secret. Having this approach would lead people to have only key active during normal operations and two in the moment they want to rotate the key and afterwards again only one key. No way to get lazy while rotating.
from django-fernet-encrypted-fields.
hendrikschneider
commented on June 5, 2024
@StevenMapes @naohide Actually what I am thinking about is to extend this library with a command that automatically detects all models, which use an encrypted field to rotate the saved value to the new key. Just imagine, how easy rotations would be and developers wouldn't forget to rotate some models.
If we decide on how to handle the keys, I could take a look on implementing this.
from django-fernet-encrypted-fields.
StevenMapes
commented on June 5, 2024
I like the idea of the management command to check and rotate values.
Using DJANGO_FERNET_FIELD_ENCRYPTION_KEYS as a list makes sense to me as, whilst long, it's explicit and verbose.
from django-fernet-encrypted-fields.
Related Issues (9)
- I got KeyError: TextField when I tried using EncryptedIntegerField HOT 3
- Issues with lookups against encrypted fields HOT 2
- Adding typings to codebase HOT 5
- Implement Jazzband guidelines for django-fernet-encrypted-fields HOT 2
- Feature Request: Add support for rotating the salt HOT 1
- Error saving model in django admin HOT 4
- Reasons for not leaving SECRET_KEY used as default HOT 1
- Joining Jazzband HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-fernet-encrypted-fields.