Python cryptography.fernet implements file encryption and decryption tutorial

This tutorial details how to use the fernet module in Python's cryptography library to implement file encryption and decryption operations. The article will cover the generation, management and reuse of Fernet keys, as well as how to securely perform encryption and decryption processes in files, and emphasize the importance of secure key storage to ensure data confidentiality.

1. Introduction: Introduction to cryptography.fernet

Today, when information security is becoming increasingly important, encrypting sensitive data is a basic means to protect its confidentiality. Python's cryptography library provides a set of powerful and easy-to-use encryption tools, of which the fernet module is ideal for implementing symmetric encryption. Fernet is a symmetric encryption scheme based on the AES algorithm, which ensures message authentication, integrity and confidentiality, and is easy to integrate into applications.

The core principle of Fernet is to use a shared key to encrypt and decrypt data. This means that the key used to encrypt the data must be exactly the same as the key used to decrypt the data. If the key is lost or compromised, the data cannot be recovered or is at risk of unauthorized access.

2. Core concepts: key generation and Fernet examples

Before using Fernet for file encryption and decryption, we need to understand its two key concepts: key generation and creation of Fernet instances.

2.1 Key generation

The Fernet key is a 32-byte URL-safe Base64 encoded string. It is the basis of symmetric encryption and must be kept strictly confidential. A brand new key can be generated through the Fernet.generate_key() method.

 from cryptography.fernet import Fernet

# Generate a Fernet key key = Fernet.generate_key()
print(f"Generated Fernet key (Base64 encoded): {key.decode()}")

Important: Each call to Fernet.generate_key() generates a completely new and different key. For data that requires persistent encryption, you must save the generated key and reuse it in subsequent decryption operations.

2.2 Fernet instance creation

Once you have the key, you can use it to create a Fernet instance. This instance will be used to perform the actual encryption and decryption operations.

 # Create a Fernet instance using the generated key cipher = Fernet(key)

3. File encryption and decryption operations

Fernet instances provide encrypt() and decrypt() methods to handle byte data. For file operations, we usually need to read the file content in binary mode, encrypt or decrypt it, and then write the processed content to the file.

3.1 Implementation of in-place encryption and decryption

The following code example shows how to implement in-place encryption and decryption of files in a single function. This means that the file contents are directly replaced with encrypted or decrypted data.

 import os
from cryptography.fernet import Fernet
from cryptography.fernet import InvalidToken # Used to handle decryption failure exceptions def process_file_in_place(filename: str, cipher: Fernet, action: str, debug: bool = False):
    """
    Encrypt or decrypt file contents in-place.

    Args:
        filename (str): The file path to be processed.
        cipher (Fernet): Fernet encryption instance.
        action (str): Action type, which can be "encrypt" or "decrypt".
        debug (bool): Whether to print the encrypted content after encryption.
    """
    # Open the file in binary read and write mode (rb allows reading and writing, the file pointer is initially at the beginning)
    with open(filename, "rb ") as data_file:
        content = data_file.read() # Read all contents of the file # Perform encryption or decryption according to the specified operation processed_content = b""
        if action == "encrypt":
            processed_content = cipher.encrypt(content)
            if debug:
                print(f"Encrypted content (bytes): {processed_content}")
        elif action == "decrypt":
            try:
                processed_content = cipher.decrypt(content)
                if debug:
                    print(f"Decrypted content (bytes): {processed_content}")
            exceptInvalidToken:
                print(f"Error: Unable to decrypt file '{filename}'. There may be a key mismatch or the data is corrupted.")
                return # Decryption failed, exit function else:
            raise ValueError("Operation type must be 'encrypt' or 'decrypt'")

        # Move the file pointer to the beginning of the file data_file.seek(0)
        #Write the processed content data_file.write(processed_content)
        # If the new content is shorter than the old content, truncate the file to ensure the file size is correct data_file.truncate()

if __name__ == "__main__":
    test_filename = "example_data.txt"
    original_text = "Hello, world! This is a secret message that needs to be protected."

    # 1. Create a raw plain text file with open(test_filename, "w", encoding="utf-8") as f:
        f.write(original_text)
    print(f"Original file '{test_filename}' content: {original_text}")

    # 2. Generate a Fernet key and create an instance # Note: This key is only used for this run. In actual applications, persistent storage key_for_example = Fernet.generate_key() is required
    cipher_for_example = Fernet(key_for_example)
    print(f"Generated Fernet key (Base64 encoded): {key_for_example.decode()}")

    # 3. Encrypted file print("\n---Perform encryption---")
    process_file_in_place(test_filename, cipher_for_example, "encrypt", debug=True)
    with open(test_filename, "rb") as f:
        print(f"The binary content (part) of the encrypted file '{test_filename}': {f.read()[:50]}...") # Only print the first 50 bytes # 4. Decrypt the file print("\n---Execute decryption---")
    process_file_in_place(test_filename, cipher_for_example, "decrypt")
    with open(test_filename, "r", encoding="utf-8") as f: # The decrypted content can be read as text decrypted_text = f.read()
    print(f"Decrypted file '{test_filename}' content: {decrypted_text}")

    # 5. Verify whether the decrypted content matches the original content assert decrypted_text == original_text
    print("\nVerification successful: the decrypted content is consistent with the original content.")

    # Clean up the test file if os.path.exists(test_filename):
        os.remove(test_filename)

Code analysis:

• open(filename, "rb "): Open the file in binary read-write mode. r means read, b means binary, which means writing operations are allowed at the same time. The file pointer is initially located at the beginning of the file.
• data_file.read(): Read the entire contents of the file. For large files, it may be necessary to read and process them in chunks.
• cipher.encrypt(content) / cipher.decrypt(content): Perform encryption or decryption operations. These methods accept and return bytes.
• data_file.seek(0): Reposition the file pointer to the beginning of the file so that new content can be written from the beginning.
• data_file.write(processed_content): Write the encrypted or decrypted content to the file.
• data_file.truncate(): Very important! If the newly written content is shorter than the original content, old data may remain at the end of the file. The truncate() method truncates the file to the current file pointer position, clearing out excess old data.

4. Key management: persistence and reuse

In practical applications, it is not feasible to generate a new key every time the program is run. To be able to encrypt and decrypt data at different points in time or between different program instances, keys must be stored persistently and reused.

4.1 Correct key persistence method

Proper key persistence

The above is the detailed content of Python cryptography.fernet implements file encryption and decryption tutorial. For more information, please follow other related articles on the PHP Chinese website!