Flask-Vault provides several cli commands to store secrets that you do not want to keep in the clear, using symmetric encryption with AES-GCM. These commands allow you to save very important credentials such as API keys, database credentials, etc.
In addition, Flask-Vault contains several helpers to simplify the encryption and decryption of data.
In the world of web development, safeguarding sensitive information is a paramount concern. When it comes to managing credentials when using Flask, two prominent options emerge: Flask-Vault and Dotenv. While both have their merits, Flask-Vault stands out as the superior choice for securing critical data.
Flask-Vault offers a robust solution for protecting sensitive information. Stored in an encrypted credentials.yml.enc file, this data is shielded by an added layer of security. It can only be decrypted with the master key, ensuring that even if the file falls into the wrong hands, the information remains inaccessible.
Additionally, the encrypted editor, accessed through flask vault edit, allows for secure direct editing of the credentials file. This feature is invaluable for making swift adjustments to sensitive information without compromising security.
While both Flask-Vault and Dotenv serve important functions, Flask-Vault stands as the superior choice for securing sensitive data. Its robust encryption and seamless integration within Flask make it the ideal solution for managing critical information. By prioritizing security without sacrificing accessibility, Flask-Vault empowers developers to build and maintain applications with the utmost confidence in their data protection measures.
The encryption used by flask_vault is AES-GCM with a 128-bit key.
Here are some benefits of using AES-GCM with a 128-bit key:
-
Security: AES-GCM is considered secure and is widely used in various applications including TLS (Transport Layer Security) for securing internet communication.
-
Efficiency: AES-GCM is known for being relatively efficient in terms of computational resources. This is especially important in scenarios where computational power may be limited, such as on IoT (Internet of Things) devices.
-
Fast Encryption and Decryption: AES-GCM is optimized for modern processors, which means that it can encrypt and decrypt data relatively quickly. This is important for performance-sensitive applications.
-
Parallelization: AES-GCM encryption and decryption can be parallelized, which means that it can take advantage of multiple processing cores in modern CPUs.
-
Authenticated Encryption with Associated Data (AEAD): AES-GCM provides both confidentiality and integrity, which means that not only is the data encrypted, but it also includes a message authentication code (MAC) to verify that the data has not been tampered with.
-
Nonce-Based: AES-GCM requires a unique initialization vector (IV), called a nonce, for each encryption operation. This means that even if you encrypt the same data with the same key multiple times, the ciphertext will be different, adding an extra layer of security.
-
Widely Supported: AES-GCM is supported by many cryptographic libraries and frameworks, making it a practical choice for a wide range of applications.
-
Compliance: AES-GCM is often recommended or required by various security standards and compliance frameworks.
Flask-Vault uses few dependencies to secure data and files, here are the 2 main dependencies of this library:
python = ">=3.7"
cryptography = "^41.0.3"
pyyaml = "^6.0.1"Install and update using pip
$> pip install Flask-VaultInstall and update using poetry
$> poetry add Flask-Vaultfrom flask import Flask
from flask_vault.cli import vault_cli
app = Flask(__name__)
...
# Register Command using the
app.cli.add_command(vault_cli)
...The default editor used by Flask-Vault is vi.
The example below shows how to use an editor other than vi to show or edit credentials saved in credentials.yml.enc. As shown, the example will use nano editor to use the flask vault show command.
$> EDITOR=nano flask vault show-
flask vault init: The
flask vault initcommand will initialize the environment needed for Flask-Vault to operate. This command will create thecredentials.yml.encfile, themaster.keyfile and thetmpfolder (which will be used internally by Flask-Vault). If you run this command a second time, no action will be taken since you will not be able to overwrite the created files. -
flask vault get [secret_name]: The
flask vault getcommand will decryptcredentials.yml.encand display the selected secret in terminal. -
flask vault show: The
flask vault showcommand will decrypt the contents of thecredentials.yml.encfile usingmaster.keyand open it in read-only mode to show the saved credentials. -
flask vault edit: The
flask vault showcommand will decrypt the contents of thecredentials.yml.encfile usingmaster.keyand open it in edit mode. -
flask vault encrypt [filename]: The
flask vault encryptcommand will create an encrypted file. The generated file will be protected by AES-GCM encryption and will use a.encextension to distinguish it from the plaintext file. -
flask vault decrypt [filename]: The
flask vault decryptcommand will decrypt a file with the extension.encand display its contents in the terminal.
Encrypting data without exposing the encryption key within the application using flask_vault.utils.aes_gcm_encrypt
from flask import Flask
from flask_vault.utils import aes_gcm_encrypt
app = Flask(__name__)
@app.route("/encrypted", methods=["GET"])
def encrypted():
ctx = {
"encrypted": aes_gcm_encrypt("my.app.secret")
}
return render_template("encrypted.html", **ctx)Decrypting data without exposing the encryption key within the application using flask_vault.utils.aes_gcm_decrypt
from flask import Flask
from flask_vault.utils import aes_gcm_decrypt
app = Flask(__name__)
@æpp.route("/decrypt", methods=["GET"])
def decrypt():
encrypted_data = request.args.get("encrypted", None)
ctx = {
"plaintext": aes_gcm_decrypt(encrypted_data) if encrypted_data is not None else "Missing encrypted data!"
}
return render_template("decrypt.html", **ctx)The example below shows how to get secrets from the credentials.yml.enc file using Flask-Vault's get_secrets function. In this example get_secret will be used to configure the database, preventing anyone who does not have access to the master.key from reading the username, password, and database name in clear text
---
# ... other stuff
db.name: my-db-name
db.username: root
db.password: my-db-passwordUse the flask_vault.utils.get_secret function to obtain secrets and credentials stored inside the credentials.yml.enc file.
import sys
import mariadb
from flask import Flask, request, g
from flask_vault.utils import get_secret
app = Flask(__name__)
def get_db():
db = getattr(g, "_database", None)
if db is None:
try:
conn = mariadb.connect(
user=get_secret("db.username"),
password=get_secret("db.password")
host="127.0.0.1",
port=3306,
database=get_secret("db.name"),
)
db = g._database = conn
except mariadb.Error as e:
print(f"Error connecting to MariaDB Platform: {e}")
sys.exit(1)
return db
@app.teardown_appcontext
def close_connection(exception):
db = getattr(g, "_database", None)
if db is not None:
db.close()Questions, comments or improvements, please create an issue on Github.
To suggest a change to the code or documentation, please create a new pull request on GitHub. Also, please squash multiple commits into a single commit in your pull request by rebasing onto the master branch.
If you feel that my work has been useful and you are interested in supporting this project and any future projects, please leave me a donation using one of the following cryptocurrencies.
- Bitcoin (Segwit):
bc1q8vnltjge25dks05tv49eknvrar6pzu7837mnvt
MIT License
Copyright (c) 2023-present Adriano Romanazzo <github.com/multiversecoder>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.