Closed jkemp101 closed 4 years ago
I think the only thing to do here is swapping out the AES encryption helpers with these https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/
For anyone deploying this change, this is recommended to be done in several steps as outlined below:
Step 1: Deploy https://github.com/closeio/flask-common/pull/70 that:
\x00
, extract first byte as version and try to decrypt the rest of the message;\x00
or if first step fails signature test, it means that first byte is not a version marker, but part of the encrypted data. Decrypt as usual including the first byte.Step 2: Deploy https://github.com/closeio/flask-common/pull/72 that:
\x00
to all our encrypted data (these have IV size of 32 bytes).Step 3: Run a data migration to update existing data (prepend version \x00
). Optionally, it can also rotate your key.
Step 4: Deploy https://github.com/closeio/flask-common/pull/75 that:
\x01
, uses correctly-sized IVs.Step 5: Deploy https://github.com/closeio/flask-common/pull/71 that:
cryptography
, swapping pycrypto
out.\x01
and IV size 16 bytes.\x00
, uses the last 16 bytes of the original IV as the corrected IV before passing it to cryptography
.Step 6: (Optional.) Run another data migration to re-encrypt everything with version \x01
and correct IV size. Optionally, it can also rotate your key.
Step 7: (Optional.) Deploy https://github.com/closeio/flask-common/pull/77 that removes treatment for version 0.
If it's been a long time since you last rotated your key, it's recommended to use steps 3 or 6 as a chance to do that.
Dependency dropped in https://github.com/closeio/flask-common/pull/71.
Pycrypto is no longer supported and should be replaced. Cryptography package is probably the best choice