What is the best way to encrypt stored data in web2py?

Question

I need to encrypt data stored in web2py, more precisely passwords.

This is not about authentication, but more something in the line of a KeePass-like application.

I've seen that is included in web2py, but and M2Secret could easily do that. With M2Secret I can use this:

import m2secret

# Encrypt
secret = m2secret.Secret()
secret.encrypt('my data', 'my master password')
serialized = secret.serialize()

# Decrypt
secret = m2secret.Secret()
secret.deserialize(serialized)
data = secret.decrypt('my master password')

But I would have to include the M2Crypto library in my appliance.

Is there a way to do this with PyMe which is already included with web2py?

Answer 1

By default web2py stores passwords hashed using HMAC+SHA512 so there is nothing for you to do. It is better than the mechanism that you suggest because encryption is reversible while hashing is not. You can change this and do what you ask above but it would not be any more secure than using plaintext (since you would have to expose the encryption key in the app).

Anyway. Let's say you have a

db.define_table('mytable',Field('myfield'.'password'))

and you want to use m2secret. You would do:

class MyValidator:
    def __init__(self,key): self.key=key
    def __call__(self,value):
        secret = m2secret.Secret()
        secret.encrypt(value, self.key)
        return secret.serialize()
    def formatter(self,value):
        secret = m2secret.Secret()
        secret.deserialize(value)
        return (secret.decrypt(self.key),None)

db.mytable.myfield.requires=MyValidator("master password")

In web2py validators are also two way filters.