Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • Use django-fernet-fields, which uses Fernet
    • Fernet essentially combines the latest industrial strength of crypto algorithms for symmetric encryption (so we don't need to pick and choose):
      • AES cipher in CBC mode, for encryption
      • SHA256 HMAC, for integrity protection
      • AES base64-encoded, 32-bit key generation
  • django Settings:
    • In public env file:
      • FERNET_USE_HKDF=True
    • In secure auth file (configure FERNET_KEYS, rather than having it use SECRET_KEY)
      • FERNET_KEYS=[<current_key>, <older keys>]
    • For the production environment, devOps will generate a secure master-key as a value for FERNET_KEYS.
    • For test environments (sandbox, localhost, etc), you can generate your own 32-bit test key using random.
  • Key Rotation 
    • Create an annual reminder to generate a new FERNET master-key for new encryptions, while keeping the old key for decryptions of old values.
    • For the production environment, this will need to be done by devOps.
    • Prepend the new master key to the list of FERNET_KEYS.
  • See Usage section for how to use these in your django models to create encrypted fields automatically
  • Code reference: