Is there a passphrase per user, or just one for the whole app (perhaps entered by an admin user)? In either case, I suppose you could use cache.ram, but if there is a passphrase per user, you would need a unique key for each user (e.g., the user ID), and you would also need to do some occasional cleanup of old passphrases.
Anthony On Wednesday, December 16, 2015 at 10:27:22 AM UTC-5, Gary Cowell wrote: > > Hello > > I want to encrypt fields in the database, because of reasons. I've been > through the arguments, but there we have it. > > I look at this web2py slice: > > > http://www.web2pyslices.com/slice/show/2012/encrypt-information-into-the-database > > And it gives a good illustration of how to do it in model with a lambda. > BUT... > > It has a hard coded symmetric key, which I don't want. > > What I want to do is have a form which accepts a pass phrase. > > I will salt and hash this, to come up with a hash to use as the symmetric > key. I want to make this salty hash available to all subsequent sessions > and requests, but I do not want it going to session files or a database. > > What would be the best way to do that? > > In this way, if the web2py is started up, no encrypted fields will be > served via REST, until someone uses the pass phrase form and puts in the > correct phrase (a canary column will be decrypted to check the valid key). > > Thus, we can avoid storing symmetric key either in code, or in config > files, environment variables etc. But of course, requires intervention > from a human in the event of server/service restart. This is acceptable. > > Thanks for any help > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.