Accessing data from two Django Applications

[jdklub]

I am encrypting data in a few CharFields, and attempting to read this data from two different Django applications. I have specified the same CRYPTOGRAPHY_KEY and CRYPTOGRAPHY_SALT in the settings files of each application. However I am unable to decrypt the data in the second application unless I use the same SECRET_KEY value in both applications. It was my impression that CRYPTOGRAPHY_KEY would take precedence over SECRET_KEY.

This seems to indicate only the key specified on the field or the SECRET_KEY is used.

class FernetSigner(Signer):
    version = b'\x80'

    def __init__(self, key=None):
        """
        :type key: any
        :rtype: None
        """
        self.digest = hashes.SHA256()
        self.key = force_bytes(key or settings.SECRET_KEY)

Am I misunderstanding how to configure the applications so that they can both access the data?

[georgemarshall]

I will look into this and see there is a gap in the implementation.

[ramonakira]

I ran into the same behavior and it puzzled me quite a bit. Maybe update the documentation in the meantime?

[jaap3]

It seems that FernetBytes uses the CRYPTOGRAPHY_KEY but CRYPTOGRAPHY_SALT uses SECRET_KEY. CRYPTOGRAPHY_SALT does not seem to be used in the code at all. (nevermind, it is used by CryptographyConf)

[kirktarou]

@georgemarshall I tested this locally with defaults and saved data to an encrypted field. I was still able to decrypt that previously encrypted data after setting CRYPTOGRAPHY_KEY and CRYPTOGRAPHY_SALT.

If the default key and salt are never overridden by the CRYPTOGRAPHY_KEY and CRYPTOGRAPHY_SALT environment variables, this is a major bug that needs to be addressed ASAP.