[Cryptography-dev] Destroying keys and secrets…

Alex python-cryptography at qu3.org
Fri Feb 16 22:04:00 EST 2018 

You might have a look at:
https://github.com/dnet/pysecstr

Here is a longer description about the used method:
https://www.sjoerdlangkemper.nl/2016/06/09/clearing-memory-in-python/

Disclaimer: This is not a recommendation just a hint for further
exploration. Be also aware that you can't control if and when Python
swaps memory to disk.

Alex

On 16.02.2018 22:16, Andrew Donoho wrote:
> Gentlefolk,
> 
> 
> 
> 	Apparently, my Google-fu is weak and I come seeking advice.
> 
> 	Secret management is important. In particular, I want to make sure that any secrets I decrypt are erased from memory before the storage is reclaimed by the VM. In other environments, I would just dig into each object until I get the pointer for the storage and then bang zeros, ones and randomness into the block. Then garbage collection would proceed apace. 
> 
> 
> 
> Here’s an example from the cryptography documentation, <https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/>:
> 
>>>> import os
>>>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
>>>> from cryptography.hazmat.backends import default_backend
>>>> backend = default_backend()
>>>> key = os.urandom(32)
>>>> iv = os.urandom(16)
>>>> cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)
>>>> encryptor = cipher.encryptor()
>>>> ct = encryptor.update(b"a secret message") + encryptor.finalize()
>>>> decryptor = cipher.decryptor()
>>>> decryptor.update(ct) + decryptor.finalize()
> 'a secret message’
> 
> 
> The `key` above is a `bytes` object. It has storage somewhere. Even though it is a read-only Python object, I can pierce the abstraction, if I have to, with C.
> 
> My question is: has someone else already done so and published the handful of methods needed? 
> 
> If not, should this be an API added to cryptography?
> 
> 
> 
> Anon,
> Andrew
> ____________________________________
> Andrew W. Donoho
> Donoho Design Group, L.L.C.
> awd at DDG.com, +1 (512) 750-7596, twitter.com/adonoho
> 
> Doubt is not a pleasant condition, but certainty is absurd.
>     — Voltaire
> 
> 
> 
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3992 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20180217/a7d5d56d/attachment.bin>

More information about the Cryptography-dev mailing list