1

I want to encrypt data into Postgres and then decrypt and read from it. I prefer using sqlalchemy and ORM but if it is difficult to do using sqlalchemy and ORM then I am curious to know the other ways also

I tried using the below code, It is encrypting into the database but it is not asking me for any key or anything for the decryption. May I know why?

import sqlalchemy as sa
from sqlalchemy import create_engine
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import sessionmaker

from sqlalchemy_utils import EncryptedType
from sqlalchemy_utils.types.encrypted.encrypted_type import AesEngine

secret_key = 'secretkey1234'
connection_string = '***********'
engine = create_engine(connection_string)
connection = engine.connect()
sa.orm.configure_mappers()
Session = sessionmaker(bind=connection)
session = Session()
Base = declarative_base()
class User(Base):
    __tablename__ = "user"
    id = sa.Column(sa.Integer, primary_key=True)
    username = sa.Column(EncryptedType(sa.Unicode,secret_key,AesEngine,'pkcs5'))
    number_of_accounts = sa.Column(EncryptedType(sa.Integer,secret_key,AesEngine,'oneandzeroes'))
Base.metadata.create_all(connection)

I run the below code for the decryption:

user_id = user.id
session.expunge_all()
user_instance = session.query(User).get(user_id)
print('username: {}'.format(user_instance.username))
Improve this question
3
  • "On the way in, the value is encrypted and on the way out the stored value is decrypted.", from sqlalchemy-utils.readthedocs.io/en/latest/…. Could you please provide an example of a failure to decrypt? Have a look at how to produce a minimal reproducible example. Commented Feb 22, 2019 at 7:04
  • You can use the functions in the database extension pgcrypto if that is an option for you. Commented Feb 22, 2019 at 7:09
  • @IljaEverilä Thanks for the reply Ilja, actually I am able to read the encrypted data from the database but it is not asking me for any key or anything for the decryption. May I know why? I run the below code from the same link you provided: user_id = user.id session.expunge_all() user_instance = session.query(User).get(user_id) print('username: {}'.format(user_instance.username)) Also, I have added the decryption in my original question as well Commented Feb 22, 2019 at 14:33

1 Answer 1

Reset to default
1

You have likely figured this out by now, as this question is a few years old, but for anyone else looking:

You are interacting with your Postgres tables through the model classes you define (in your example User).

When you execute a query, data is returned and passed through the class to determine how to process the response. From your example a query will return results for id, username and number_of_accounts. If you were to log each element returned, id would be processed as an int because that is how it is defined in your model.

Similarly, username and number_of_accounts will also be processed based on the definition in the User class - as an EncryptedType() value. This is a more complex datatype though. Your model defines the key to use for encryption/decryption. Prior to storing the value, the results are decrypted based on the context provided in your model. In this case using the AESEngine and decrypted with the key of 'secretkey1234'. That is why you don't need to specify a key on read. It is already defined in your model.

If you were to run a select * from user limit 1; query directly on your Postgres db, the values displayed for your two encrypted columns would remain encrypted, as you would not be passing the results through your defined model.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.