Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Encrypted Django Model Fields

Tags:

python

django

django-models

encryption

A client wants to ensure that I cannot read sensitive data from their site, which will still be administered by me. In practice, this means that I'll have database access, but it can't be possible for me to read the contents of certain Model Fields. Is there any way to make the data inaccessible to me, but still decrypted by the server to be browsed by the client?

like image 715
OwenK Avatar asked Aug 30 '09 04:08

OwenK

People also ask

How to encrypt database in Django?

To encrypt your data using django_cryptography, all you need to do is import encrypt from django_cryptography. fields and use it directly on each field where it is required. In app/models.py put the code given below. Then, add the code given below to app/admin.py to display your models on your admin page.

How do I encrypt text in Django?

Encrypt Password: To encrypt a password in Django, we use the built-in function make_password. This method turns a plain text password into a hash that can be stored in a database.

What encryption does Django use?

By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. This should be sufficient for most users: it's quite secure, requiring massive amounts of computing time to break.

1 Answers

This is possible with public key encryption. I have done something similar before in PHP but the idea is the same for a Django app:

All data on this website was stored encrypted using a private key held by the system software. The corresponding public key to decrypt the data was held by the client in a text file.

When the client wanted to access their data, they pasted the public key into an authorisation form (holding the key in the session) which unlocked the data.

When done, they deauthorised their session.

This protected the information against authorised access to the web app (so safe against weak username/passwords) and also from leaks at the database level.

This is still not completely secure: if you have root access to the machine you can capture the key as it is uploaded, or inspect the session information. For that the cure could be to run the reading software on the client's machine and access the database through an API.

I realise this is an old question but I thought I'd clarify that it is indeed possible.

like image 105
nOw2 Avatar answered Nov 14 '22 18:11

nOw2
Sign in to Comment

Related questions

operator.index with custom class instance
cannot import name 'secure_filename' from 'werkzeug'
"RuntimeError: expected scalar type Double but found Float" in Pytorch CNN training
how can I fix this WARNING in Xgboost?
How to access environment secrets from a Github workflow?
Denormalize/Restructure CDISC supplement data
Can't login with instabot
Why do keyword arguments to a class definition reappear after they were removed?
Find the indices where a sorted list of integer changes
Errors with Python's mechanize module
Tracd Realm
Rounding float to the nearest factor?
What values to use for FastCGI maxrequests, maxspare, minspare, maxchildren?
Determine if a listing is a directory or file in Python over FTP
Writing a binary buffer to a file in python
Getting Python System Calls as string results
Using string as variable name
Does urllib2 in Python 2.6.1 support proxy via https
When to use a Templating Engine in Python?
parsing month year pairs into datetime

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!