2

I need to encrypt data stored in web2py, more precisely passwords.

This is not about authentication, but more something in the line of a KeePass-like application.

I've seen that is included in web2py, but and M2Secret could easily do that. With M2Secret I can use this:

import m2secret

# Encrypt
secret = m2secret.Secret()
secret.encrypt('my data', 'my master password')
serialized = secret.serialize()

# Decrypt
secret = m2secret.Secret()
secret.deserialize(serialized)
data = secret.decrypt('my master password')

But I would have to include the M2Crypto library in my appliance.

Is there a way to do this with PyMe which is already included with web2py?

Cyann
  • 23
  • 3

1 Answers1

3

By default web2py stores passwords hashed using HMAC+SHA512 so there is nothing for you to do. It is better than the mechanism that you suggest because encryption is reversible while hashing is not. You can change this and do what you ask above but it would not be any more secure than using plaintext (since you would have to expose the encryption key in the app).

Anyway. Let's say you have a

db.define_table('mytable',Field('myfield'.'password'))

and you want to use m2secret. You would do:

class MyValidator:
    def __init__(self,key): self.key=key
    def __call__(self,value):
        secret = m2secret.Secret()
        secret.encrypt(value, self.key)
        return secret.serialize()
    def formatter(self,value):
        secret = m2secret.Secret()
        secret.deserialize(value)
        return (secret.decrypt(self.key),None)

db.mytable.myfield.requires=MyValidator("master password")

In web2py validators are also two way filters.

mdipierro
  • 4,239
  • 1
  • 19
  • 14
  • Note that I need to store the data using reversible encryption as the app's goal is to hand out the stored passwords. My concern is with offline attack on the database, this is why I want to encrypt the data. But I'll have a look at the public key algorithms available in PyMe to avoid adding dependencies in web2py. – Cyann Nov 04 '10 at 13:17
  • You may want to consider storing the DB in an encrypted filesystem (perhaps in a file). If is better to hand encryption responsibility to the OS than to the app since the latter if the first that may be compromised in case of attack. – mdipierro Nov 04 '10 at 13:24