util.encrypted_fields¶
Encrypted fields for sensitive data using PKCS#11 DEK encryption.
Classes¶
A TextField that automatically encrypts/decrypts data using PKCS#11 DEK. |
|
A CharField that automatically encrypts/decrypts data using PKCS#11 DEK. |
Module Contents¶
- class util.encrypted_fields.EncryptedTextField(*args, **kwargs)[source]¶
Bases:
django.db.models.TextField[str,str]A TextField that automatically encrypts/decrypts data using PKCS#11 DEK.
This field uses AES-256-CBC encryption with the DEK (Data Encryption Key) from the PKCS#11 token to encrypt sensitive data before storing it in the database.
- Parameters:
args (Any)
kwargs (Any)
- raise_validation_error(msg)[source]¶
Raise a ValidationError with the given message.
- Parameters:
msg (str) – The error message to include in the ValidationError.
- Raises:
ValidationError – Always raised with the provided message.
- Return type:
Never
- should_encrypt()[source]¶
Check if encryption should be used based on crypto storage configuration.
- Returns:
True if storage type is SoftHSM or Physical HSM, False for software storage.
- Return type:
bool
- Raises:
ValidationError – If crypto storage config is not found or there’s an error accessing it.
- get_dek()[source]¶
Get the DEK from PKCS#11 token, preferring cached value.
- Returns:
The 32-byte DEK.
- Return type:
bytes
- Raises:
ValidationError – If no PKCS#11 token is configured or DEK unavailable.
- encrypt_value(value)[source]¶
Encrypt a string value using AES-256-GCM with the PKCS#11 DEK.
- Parameters:
value (str) – The plaintext string to encrypt.
- Returns:
Base64-encoded encrypted data in format: nonce:tag:ciphertext
- Return type:
str
- decrypt_value(encrypted_value)[source]¶
Decrypt a base64-encoded encrypted value using the PKCS#11 DEK.
- Parameters:
encrypted_value (str) – Base64-encoded encrypted data.
- Returns:
The decrypted plaintext string.
- Return type:
str
- from_db_value(value, expression, connection)[source]¶
Convert value from database to Python object.
This method is called when data is loaded from the database.
- Parameters:
value (Any)
expression (Any)
connection (Any)
- Return type:
str | None
- class util.encrypted_fields.EncryptedCharField(*args, **kwargs)[source]¶
Bases:
django.db.models.CharField[str,str]A CharField that automatically encrypts/decrypts data using PKCS#11 DEK.
Similar to EncryptedTextField but with CharField constraints.
- Parameters:
args (Any)
kwargs (Any)
- raise_validation_error(msg)[source]¶
Raise a ValidationError with the given message.
- Parameters:
msg (str) – The error message to include in the ValidationError.
- Raises:
ValidationError – Always raised with the provided message.
- Return type:
Never
- should_encrypt()[source]¶
Check if encryption should be used based on crypto storage configuration.
- Returns:
True if storage type is SoftHSM or Physical HSM, False for software storage.
- Return type:
bool
- Raises:
ValidationError – If crypto storage config is not found or there’s an error accessing it.
- encrypt_value(value)[source]¶
Encrypt a string value using AES-256-GCM with the PKCS#11 DEK.
- Parameters:
value (str)
- Return type:
str
- decrypt_value(encrypted_value)[source]¶
Decrypt a base64-encoded encrypted value using the PKCS#11 DEK.
- Parameters:
encrypted_value (str)
- Return type:
str
- from_db_value(value, expression, connection)[source]¶
Convert value from database to Python object.
- Parameters:
value (Any)
expression (Any)
connection (Any)
- Return type:
str | None