tsx
commented
5 years ago I think the only thing to do here is swapping out the AES encryption helpers with these https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/
Closed jkemp101 closed 4 years ago
tsx
commented
5 years ago I think the only thing to do here is swapping out the AES encryption helpers with these https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/
jpmelos
commented
5 years ago For anyone deploying this change, this is recommended to be done in several steps as outlined below:
Step 1: Deploy https://github.com/closeio/flask-common/pull/70 that:
\x00, extract first byte as version and try to decrypt the rest of the message;\x00 or if first step fails signature test, it means that first byte is not a version marker, but part of the encrypted data. Decrypt as usual including the first byte.Step 2: Deploy https://github.com/closeio/flask-common/pull/72 that:
\x00 to all our encrypted data (these have IV size of 32 bytes).Step 3: Run a data migration to update existing data (prepend version \x00). Optionally, it can also rotate your key.
Step 4: Deploy https://github.com/closeio/flask-common/pull/75 that:
\x01, uses correctly-sized IVs.Step 5: Deploy https://github.com/closeio/flask-common/pull/71 that:
cryptography, swapping pycrypto out.\x01 and IV size 16 bytes.\x00, uses the last 16 bytes of the original IV as the corrected IV before passing it to cryptography.Step 6: (Optional.) Run another data migration to re-encrypt everything with version \x01 and correct IV size. Optionally, it can also rotate your key.
Step 7: (Optional.) Deploy https://github.com/closeio/flask-common/pull/77 that removes treatment for version 0.
If it's been a long time since you last rotated your key, it's recommended to use steps 3 or 6 as a chance to do that.
jpmelos
commented
4 years ago Dependency dropped in https://github.com/closeio/flask-common/pull/71.
Pycrypto is no longer supported and should be replaced. Cryptography package is probably the best choice