Gentlefolk,
Apparently, my Google-fu is weak and I come seeking advice.
Secret management is important. In particular, I want to make sure that
any secrets I decrypt are erased from memory before the storage is reclaimed by
the VM. In other environments, I would just dig into each object until I get
the pointer for the storage and then bang zeros, ones and randomness into the
block. Then garbage collection would proceed apace.
Here’s an example from the cryptography documentation,
<https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/>:
>>> import os
>>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
>>> from cryptography.hazmat.backends import default_backend
>>> backend = default_backend()
>>> key = os.urandom(32)
>>> iv = os.urandom(16)
>>> cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)
>>> encryptor = cipher.encryptor()
>>> ct = encryptor.update(b"a secret message") + encryptor.finalize()
>>> decryptor = cipher.decryptor()
>>> decryptor.update(ct) + decryptor.finalize()
'a secret message’
The `key` above is a `bytes` object. It has storage somewhere. Even though it
is a read-only Python object, I can pierce the abstraction, if I have to, with
C.
My question is: has someone else already done so and published the handful of
methods needed?
If not, should this be an API added to cryptography?
Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
a...@ddg.com, +1 (512) 750-7596, twitter.com/adonoho
Doubt is not a pleasant condition, but certainty is absurd.
— Voltaire
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
