How to encrypt text with a password in python?

Question

Surprisingly difficult to find a straight answer to this on Google.

I'm wanting to collect a piece of text and a message from a user such as 1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc hello world.

Then I want to be able to encrypt/decrypt the message with the text somehow so that I can save it in my database and not worry about the data being exposed if my website gets hacked, encrypt('1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc', 'hello world') decrypt('1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc', <encrypted_text>)

Is there a simple way to achieve this with python and please can someone provide/direct me to an example.

Perhaps an example of how to create public/private key pairs using a seed such as '1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc'?

Many thanks in advance :)

EDIT: Just to be clear I'm looking for a way to encrypt my users data in a determanistic way not obfuscate the message.

If that means I have to generate a PGP/GPG pub/pri key pair on the fly by using the text 1PWP7a6xgoYx81VZocrDr5okEEcnqKkyDc as a seed then that's fine but what's the method to do this?

Answer 1

Here's how to do it properly in CBC mode, including PKCS#7 padding:

import base64 from Crypto.Cipher import AES from Crypto.Hash import SHA256 from Crypto import Random  def encrypt(key, source, encode=True):     key = SHA256.new(key).digest()  # use SHA-256 over our key to get a proper-sized AES key     IV = Random.new().read(AES.block_size)  # generate IV     encryptor = AES.new(key, AES.MODE_CBC, IV)     padding = AES.block_size - len(source) % AES.block_size  # calculate needed padding     source += bytes([padding]) * padding  # Python 2.x: source += chr(padding) * padding     data = IV + encryptor.encrypt(source)  # store the IV at the beginning and encrypt     return base64.b64encode(data).decode("latin-1") if encode else data  def decrypt(key, source, decode=True):     if decode:         source = base64.b64decode(source.encode("latin-1"))     key = SHA256.new(key).digest()  # use SHA-256 over our key to get a proper-sized AES key     IV = source[:AES.block_size]  # extract the IV from the beginning     decryptor = AES.new(key, AES.MODE_CBC, IV)     data = decryptor.decrypt(source[AES.block_size:])  # decrypt     padding = data[-1]  # pick the padding value from the end; Python 2.x: ord(data[-1])     if data[-padding:] != bytes([padding]) * padding:  # Python 2.x: chr(padding) * padding         raise ValueError("Invalid padding...")     return data[:-padding]  # remove the padding 

It's set to work with bytes data, so if you want to encrypt strings or use string passwords make sure you encode() them with a proper codec before passing them to the methods. If you leave the encode parameter to True the encrypt() output will be base64 encoded string, and decrypt() source should be also base64 string.

Now if you test it as:

my_password = b"secret_AES_key_string_to_encrypt/decrypt_with" my_data = b"input_string_to_encrypt/decrypt"  print("key:  {}".format(my_password)) print("data: {}".format(my_data)) encrypted = encrypt(my_password, my_data) print("\nenc:  {}".format(encrypted)) decrypted = decrypt(my_password, encrypted) print("dec:  {}".format(decrypted)) print("\ndata match: {}".format(my_data == decrypted)) print("\nSecond round....") encrypted = encrypt(my_password, my_data) print("\nenc:  {}".format(encrypted)) decrypted = decrypt(my_password, encrypted) print("dec:  {}".format(decrypted)) print("\ndata match: {}".format(my_data == decrypted)) 

your output would be similar to:

key:  b'secret_AES_key_string_to_encrypt/decrypt_with' data: b'input_string_to_encrypt/decrypt'  enc:  7roSO+P/4eYdyhCbZmraVfc305g5P8VhDBOUDGrXmHw8h5ISsS3aPTGfsTSqn9f5 dec:  b'input_string_to_encrypt/decrypt'  data match: True  Second round....  enc:  BQm8FeoPx1H+bztlZJYZH9foI+IKAorCXRsMjbiYQkqLWbGU3NU50OsR+L9Nuqm6 dec:  b'input_string_to_encrypt/decrypt'  data match: True 

Proving that same key and same data still produce different ciphertext each time.

Now, this is much better than ECB but... if you're going to use this for communication - don't! This is more to explain how it should be constructed, not really to be used in a production environment and especially not for communication as its missing a crucial ingredient - message authentication. Feel free to play with it, but you should not roll your own crypto, there are well vetted protocols that will help you avoid the common pitfalls and you should use those.