GnuPG or PyCrypto AES encryption

Question

I need to encrypt some data with AES in my program, would it be better to use GnuPG (python-gnupg package) or PyCrypto to do the encryption/decryption?

Which of these is more secure, afaik GnuPG seems like a more mature and buisness-proven solution that prevents many common beginner mistakes when using encryption (does it handle initalization vector and AES modes)?

I don't need public key cryptography just symmetric encryption.

Answer 1

Python-gnupg is a high-level library, easy to use and more robust against usage mistakes. However, it is also less flexible and you can only use public key cryptography based on the web-of-trust security model of PGP. You cannot use just AES You can use AES only, but the AES key can only be derived from a password by means of a custom PBKDF2-like algorithm. Additionally, python-gnupg is a wrapper around gnupg, so you must take into account that also such native library needs to be deployed.

Pycrypto is a low-level library which is more difficult to use; there are plenty of ways to make mistakes (and therefore introduce vulnerabilities) while calling the API. On the other hand, it gives you a lot of freedom for tailoring your protocol. You can use both public and symmetric key cryptography. The library is pretty much self-contained and yes, it handles IVs for modes like AES CBC. For example:

from Crypto.Random import get_random_bytes
from Crypto.Cipher import AES

iv = get_random_bytes(16)
cipher = AES.new(key, AES.MODE_CBC, iv)
ciphertext = cipher.encrypt(plaintext)

In general, python-gnupg is more secure since it is more difficult to misuse its API. Still, if you really want symmetric encryption only, I would stick to pycrypto since the functionality is very simple and it has fewer dependencies.