File Cryptosystem#

file_cryptosystem is a module for file-based hybrid cryptosystem.

class hycrypt.file_cryptosystem.FileCipher(file, public_key=None, padding_hash_algorithm=SHA256(), salt_length=16, public_exponent=65537, key_size=2048)[source]#

Convenient file-based hybrid encryption API.

  • Salt is a random bytes added to the password protecting the encrypted private key to defend against precomputed table attacks.

  • The public key can be stored and used to encrypt data at other times. Public keys can be shared. The encryption is one way, which means other people or you can encrypt the new data using this public key, and you can decrypt the message with password.

  • The public key is optional to initialize FileCipher. The cipher automatically stores public key when you use create() and read() functions and uses it to write() new encrypted data into the file.

  • The key should be at least 2048 bits. The larger the key, the more secure, at the expense of computation time to derive the key which increases non-linearly. For security beyond 2030, 3072-bit is recommended.

Parameters:

  • file (File | BytesIO) – File path or path-like object or byte stream buffer

  • public_key (RSAPublicKey | None, optional) – The RSA public key to use in the encryption. Defaults to None.

  • padding_hash_algorithm (HashAlgorithm, optional) – Hash algorithm for asymmetric padding. Defaults to SHA256().

  • salt_length (int, optional) – The length of salt in bytes. Defaults to 16.

  • public_exponent (int, optional) – The public exponent of the key. You should always use 65537. Defaults to 65537.

  • key_size (int, optional) – The size of the new asymmetric key in bits. Defaults to 2048.

Examples

>>> cipher = fycrypt.FileCipher("path/to/file")
>>> cipher.create(password=b"123456")
>>> cipher.write(b"secret stuff")
>>> cipher.read(password=b"123456")
create(password, plaintext=None)[source]#

Create file and encrypt using the provided password

Parameters:

  • password (bytes) – The password for hybrid encryption

  • plaintext (bytes | None, optional) – The message you want to encrypt. Can be empty or None. Defaults to None.

read(password)[source]#

Decrypt the file using password

Parameters:

password (bytes) – The password for hybrid encryption

Returns:

plaintext

Return type:

bytes

write(plaintext, public_key=None)[source]#

Overwrite new encrypted data into the file

Parameters:

  • plaintext (bytes) – The password for hybrid encryption

  • public_key (RSAPublicKey | None, optional) – The RSA public key to use in the encryption. Defaults to None.

Raises:

ValueError – When no public key is provided and stored in the cipher. Either create() or read() to store public key in the cipher, or provide the public key for this method.

hycrypt.file_cryptosystem.decrypt_file_with_password(file, password, padding_hash_algorithm=SHA256())[source]#

Decrypt the encrypted file using password

Parameters:

  • file (File | BytesIO) – File path or path-like object or byte stream buffer

  • password (bytes) – The password for hybrid encryption

  • padding_hash_algorithm (HashAlgorithm, optional) – Hash algorithm for asymmetric padding. Defaults to SHA256().

Returns:

plaintext, public_key

Return type:

tuple[bytes, RSAPublicKey]

hycrypt.file_cryptosystem.encrypt_file_with_password(file, plaintext, password, padding_hash_algorithm=SHA256(), salt_length=16, public_exponent=65537, key_size=2048)[source]#

Encrypt plaintext with password using hybrid encryption and write the encrypted data into file.

This function will generate a new RSA key pair. - Salt is a random bytes added to the password protecting the encrypted private key to defend against precomputed table attacks. - The public key can be stored and used to encrypt data at other times. Public keys can be shared. The encryption is one way, which means other people or you can encrypt the new data using this public key, and you can decrypt the message with password. - The key should be at least 2048 bits. The larger the key, the more secure, at the expense of computation time to derive the key which increases non-linearly. For security beyond 2030, 3072-bit is recommended.

Parameters:

  • file (File | BytesIO) – File path or path-like object or byte stream buffer

  • plaintext (bytes) – The message you want to encrypt

  • password (bytes) – The password for hybrid encryption

  • padding_hash_algorithm (HashAlgorithm, optional) – Hash algorithm for asymmetric padding. Defaults to SHA256().

  • salt_length (int, optional) – The length of salt in bytes. Defaults to 16.

  • public_exponent (int, optional) – The public exponent of the key. You should always use 65537. Defaults to 65537.

  • key_size (int, optional) – The size of the new asymmetric key in bits. Defaults to 2048.

Returns:

public_key

Return type:

RSAPublicKey

hycrypt.file_cryptosystem.encrypt_file_with_public_key(file, plaintext, public_key, padding_hash_algorithm=SHA256())[source]#

Encrypt plaintext with public key using hybrid encryption and write the encrypted data into file.

Parameters:

  • file (File | BytesIO) – File path or path-like object or byte stream buffer

  • plaintext (bytes) – The new message you want to encrypt

  • public_key (RSAPublicKey) – The RSA public key to use in the encryption.

  • padding_hash_algorithm (HashAlgorithm, optional) – Hash algorithm for asymmetric padding. Defaults to SHA256().