The API below allows for symmetric encryption and decryption using configurable secret keys. After encryption, the data returned is safe to use in URLs.
The keys are generated when servers are created before they are added to a cluster. Access to the keys must be restricted because knowledge of keys lets anyone decrypt any previously encrypted data. By default, the keys are kept in a config file called secrets.conf but it is possible not to store them on disk - they can be read from stdin, command line or environment variables.
If there is more than one server in a cluster, all of them must use the same secret key.
Note that the output of encryption contains the timestamp indicating when it took place. Because a timestamp is included, each generated secret will be different even for the same input data.
Under the hood, encryption and decryption are implemented using Fernet (AES-128, PKCS7, HMAC-SHA256).
# -*- coding: utf-8 -*-
# Zato
from zato.server.service import Service
class MyService(Service):
def handle(self):
# Data to encrypt - note that it must be a bytes object
data = b'1234567890'
# Log data to be manipulated
self.logger.info('Data `%s`', data)
# Encrypt it
encrypted = self.crypto.encrypt(data)
# Log the resulting form
self.logger.info('Encrypted `%s`', encrypted)
# Decrypt it back
decrypted = self.crypto.decrypt(encrypted)
# Log output - will be the same as original data
self.logger.info('Decrypted `%s`', decrypted)
Other crypto APIs: