Django way
Consider This: Protecting Sensitive Information in Django Applications Connected to External Services

Consider This: Protecting Sensitive Information in Django Applications Connected to External Services

Azeez Aremu's photo
Azeez Aremu
·

4 min read

In today's digital age, the importance of data security cannot be overstated. This is especially crucial for platforms that must register their users on third-party cloud SaaS solutions. Safeguarding sensitive information such as API tokens used to authenticate and communicate with these external systems is essential.

This blog post will explore how to securely manage API tokens and sensitive data in Django applications using Python's cryptography library.

Encryption

Encryption is a process that transforms readable data into an unreadable format using an encryption algorithm and a secret key. Only those with the correct decryption key can convert the data back to its original form. This technique is fundamental for protecting sensitive information, ensuring that unauthorized parties cannot access or understand the data even if they intercept it.

Why Encrypt Sensitive Data?

When interacting with external platforms, applications often require API tokens or credentials for registered users to perform service interaction. Encrypting these sensitive pieces of information ensures that even if the database is compromised, the information remains unreadable without the correct decryption key.

Types of Encryption

Encryption can be broadly categorized into two types:

  • Symmetric Encryption: The same key is used for both encryption and decryption. It is fast and efficient but requires secure key management.

  • Asymmetric Encryption: Uses a pair of keys—a public key for encryption and a private key for decryption. This method is more secure for key exchanges but computationally more expensive.

Fernet Encryption

Fernet encryption is a symmetric encryption scheme that provides a secure and easy-to-implement solution for encrypting sensitive data. Fernet ensures message confidentiality and integrity, making it an ideal choice for API token encryption.

While there are other symmetric encryption algorithms like AES (Advanced Encryption Standard), ChaCha20, and Triple DES, Fernet stands out because:

  • It provides authenticated encryption, ensuring both confidentiality and integrity.

  • It handles base64 encoding internally, making encrypted data easier to store and transfer.

  • It abstracts key management complexities, making it developer-friendly.

Asymmetric Encryption Considerations

Asymmetric encryption algorithms, such as RSA and Elliptic Curve Cryptography (ECC), are essential for secure key exchanges and digital signatures. However, due to their computational complexity and less straightforward key management, they are generally less suitable for encrypting API tokens in a high-performance environment. Instead, symmetric encryption like Fernet is preferred for its efficiency.

Fernet Encryption with Django's SECRET_KEY

Let’s implement a secure encryption and decryption mechanism using Fernet encryption. The encryption key will be derived from Django's SECRET_KEY to maintain a single source of entropy for security purposes.

Generate the Fernet Key

First we need to generate a Fernet key from Django's SECRET_KEY, we use the HKDF (HMAC-based Key Derivation Function) with the SHA256 hashing algorithm.

import base64
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives import hashes
from cryptography.fernet import Fernet
from django.conf import settings

def get_fernet_key():
    secret_key_bytes = settings.SECRET_KEY.encode()
    hkdf = HKDF(
        algorithm=hashes.SHA256(),
        length=32,
        salt=None,
        info=b'fernet key derivation'
    )
    key = hkdf.derive(secret_key_bytes)
    return base64.urlsafe_b64encode(key)

Encrypting API Tokens

With the Fernet key in place, we can encrypt sensitive API tokens before storing them.

from cryptography.fernet import Fernet
import base64

def encrypt_data(data_to_encrypt):
    key = get_fernet_key()
    cipher = Fernet(key)
    encrypted_bytes = cipher.encrypt(data_to_encrypt.encode())
    encrypted_base64 = base64.urlsafe_b64encode(encrypted_bytes)
    return encrypted_base64.decode()

Decrypting API Tokens

To retrieve the original API token, we need to decrypt it.

from cryptography.fernet import Fernet
import base64

def decrypt_data(encrypted_data):
    key = get_fernet_key()
    cipher = Fernet(key)
    encrypted_bytes = base64.urlsafe_b64decode(encrypted_data.encode())
    decrypted_bytes = cipher.decrypt(encrypted_bytes).decode()
    return decrypted_bytes

Managing API Tokens Securely

When registering users or integrating with external services, securely managing sensitive user data is essential. One effective approach is to encrypt the tokens as shown above and store them in your database. This ensures that the tokens can be safely retrieved whenever required.

Storing Encrypted Tokens in the Database

To securely store API tokens for registered users, you can create encrypted fields in your Django models. These fields will hold the encrypted versions of the tokens, keeping them safe even if the database is compromised. Make sure that data, like “api_token” shown below, is encrypted before saving it in the database.

from django.db import models
from django.contrib.auth.models import AbstractUser

class User(AbstractUser):
    api_token = models.TextField(blank=True, null=True)
    token_created_at = models.DateTimeField(null=True, blank=True)
    token_expires_at = models.DateTimeField(null=True, blank=True)

Best Practices

  • Secure Your SECRET_KEY: Never expose or hardcode your Django SECRET_KEY. Store it securely using environment variables.

  • Regularly Rotate Keys: Consider implementing key rotation strategies to reduce the impact of a key compromise.

  • Encrypt Only When Necessary: Encrypt only sensitive data to avoid unnecessary performance overhead.

  • Use Django Signals for Automation: Automate encryption and decryption processes using Django signals when saving and retrieving data if it improves performance.

  • Secure Communication: Always use HTTPS and secure protocols when communicating with external cloud platforms.

Conclusion

By using Fernet encryption, following best practices for secure token management, and considering key rotation policies, you can greatly improve the security of your Django applications, especially when working with third-party platforms. Data security is an ongoing process, not a one-time task. Regularly review and update your security practices to stay ahead of new threats.

Stay tuned for the next post in the Consider This series, where we continue to tackle real-world business challenges using Django!

DjangoSecurityencryptionexternal api