
Research
/Security News
Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
django-crypto-fields
Advanced tools
|pypi| |actions| |codecov| |downloads| |maintainability| |black|
Add encrypted field classes to your Django models where unique=True
and unique_together
attributes work as expected.
Current version
+-------------------------+----------------+---------------+----------+-----------+ | Version | Python | Django | DB | Cache | +=========================+================+===============+==========+===========+ | 1.0.0+ | 3.12+ | 5.2+ | mysql | cache | | | | | postgres | framework | +-------------------------+----------------+---------------+----------+-----------+
Older versions
+-------------------------+----------------+---------------+----------+-----------+ | Version | Python | Django | DB | Cache | +=========================+================+===============+==========+===========+ | < 0.3.7 | 3.8, 3.9, 3.10 | 3.2, 4.0, 4.1 | mysql | N/A | +-------------------------+----------------+---------------+----------+-----------+ | 0.3.8 - 0.3.9 | 3.11+ | 4.2+ | mysql | N/A | +-------------------------+----------------+---------------+----------+-----------+ | 0.4.0 - 0.4.1 | 3.11+ | 4.2+ | mysql | cache | | | | | | framework | +-------------------------+----------------+---------------+----------+-----------+ | 0.4.2+ | 3.11+ | 4.2+ | mysql | cache | | | | | postgres | framework | +-------------------------+----------------+---------------+----------+-----------+
django-crypto-fields
uses pycryptodomex
We use this module in projects built with the ClinicEDC
_: A clinical trials data management framework.
.. code-block:: python
from django.db import models
from django_crypto_fields.fields import EncryptedTextField, FirstnameField, IdentityField
class PatientModel (models.Model):
first_name = FirstnameField(
verbose_name="First Name")
identity = IdentityField(
verbose_name="Identity",
unique=True)
comment = EncryptedTextField(
max_length=500)
add to INSTALLED_APPS:
.. code-block:: python
INSTALLED_APPS = (
# ...
'django_crypto_fields.apps.AppConfig',
# ...
)
Add DJANGO_CRYPTO_FIELDS_KEY_PATH to the folder in settings:
.. code-block:: python
# folder where the encryption keys are stored
# Do not set for tests
DJANGO_CRYPTO_FIELDS_KEY_PATH = '/etc/myproject/django_crypto_fields'
Add KEY_PREFIX (optional, the default is "user"):
.. code-block:: python
# optional filename prefix for encryption keys files:
KEY_PREFIX = 'bhp066'
Run migrate
to create the django_crypto_fields.crypt
table:
.. code-block:: bash
python manage.py migrate django_crypto_fields
Take care of the encryption keys!
In your tests you can set settings.DEBUG = True
and settings.AUTO_CREATE_KEYS = True
so that keys are generated for your tests. Encryption keys will not automatically generate on a production system (DEBUG=False
) unless settings.AUTO_CREATE_KEYS = True
.
By default assumes your test module is runtests.py
. You can changes this by setting settings.DJANGO_CRYPTO_FIELDS_TEST_MODULE
.
The encryption keys are loaded as a side effect of accessing the keys
module.
The keys module is imported in this apps AppConfig just before import_models
.
During runtime the encryption keys are stored in the encryption_keys
global.
See module apps.py
, module keys.py
and fields.BaseField
constructor.
django-crypto-fields
has been used in our audited research projects that use our "Edc" for data collection and management. Data collected in our Edc are considered "source documents". django-crypto-field
adds field level encryption for sensitive field values such as names, identifiers, dob, etc (PII). Authorized study personnel accessing the data through the application can see PII. Downstream data management staff and statisticians accessing the database directly cannot.
hashlib.pbkdf2_hmac
) and secret (rsa
or aes
);django-crypto-fields
field class stores the hash only;KEY_PATH
folder;unique=True
and unique_together
attributes work as expected;Crypt
table from the DB (it has all the secrets);KEY_FILENAMES
to create as many sets as needed. With multiple sets of keys you have more control over who gets to see what.['startswith', 'istartswith', 'endswith', 'iendswith', 'contains', 'icontains', 'iexact']
are not supported.django-crypto-fields
, we take all the basic security precautions: OS and application-level password protection, Full-Drive encryption, physical security and so on.Other encrypted field modules are available if you just want to use encrypted field classes in Django models and do not need unique constraints nor plan to join tables on encrypted fields for analysis.
.. _ClinicEDC: https://github.com/clinicedc
.. |pypi| image:: https://img.shields.io/pypi/v/django-crypto-fields.svg :target: https://pypi.python.org/pypi/django-crypto-fields
.. |actions| image:: https://github.com/erikvw/django-crypto-fields/actions/workflows/build.yml/badge.svg :target: https://github.com/erikvw/django-crypto-fields/actions/workflows/build.yml
.. |codecov| image:: https://codecov.io/gh/erikvw/django-crypto-fields/branch/develop/graph/badge.svg :target: https://codecov.io/gh/erikvw/django-crypto-fields
.. |downloads| image:: https://pepy.tech/badge/django-crypto-fields :target: https://pepy.tech/project/django-crypto-fields
.. |maintainability| image:: https://api.codeclimate.com/v1/badges/34293a3ec19da8d7fb16/maintainability :target: https://codeclimate.com/github/erikvw/django-crypto-fields/maintainability :alt: Maintainability
.. |black| image:: https://img.shields.io/badge/code%20style-black-000000.svg :target: https://github.com/ambv/black :alt: Code Style
FAQs
Add encrypted field classes and more to your Django models
We found that django-crypto-fields demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Research
/Security News
Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.
Security News
The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.