...
- Use django-fernet-fields, which uses Fernet
- Fernet essentially combines the latest industrial strength of crypto algorithms for symmetric encryption (so we don't need to pick and choose):
- AES cipher in CBC mode, for encryption
- SHA256 HMAC, for integrity protection
- AES base64-encoded, 32-bit key generation
- Fernet essentially combines the latest industrial strength of crypto algorithms for symmetric encryption (so we don't need to pick and choose):
- django Settings:
- In public env file:
- FERNET_USE_HKDF=True
- In secure auth file (configure FERNET_KEYS, rather than having it use SECRET_KEY)
- FERNET_KEYS=[<current_key>, <older keys>]
- For the production environment, devOps will generate a secure master-key as a value for FERNET_KEYS.
- For test environments (sandbox, localhost, etc), you can generate your own 32-bit test key using random.
- In public env file:
- Key Rotation
- Create an annual reminder to generate a new FERNET master-key for new encryptions, while keeping the old key for decryptions of old values.
- For the production environment, this will need to be done by devOps.
- Prepend the new master key to the list of FERNET_KEYS.
- See Usage section for how to use these in your django models to create encrypted fields automatically
- Code reference: