Encrypt any type of file to prevent it being read by others without the password.
Note: this project was made for educational purposes only, and the security of the code hasn’t been tested at all.
Note 2: all of the code and files used in this tutorial are available on GitHub here.
In this blog we are going to create a program that can encrypt and decrypt a file using a password. To do this we’re going to use the Cryptography library. Before you can use it, you have to install it by typing
pip install cryptography into a console prompt.
Once Cryptography has installed we can start writing our program. We’ll use Fernet, which uses 128-bit key AES, or Advanced Encryption Standard.
Firstly we have to import all of the modules we need.
Unfortunately we can’t just use the password itself for encryption and decryption. We have to use the password to generate a key based upon it. To do this we use the key derivation function PBKDF2. This essentially passes the password, combined with a salt value, through a one-way function many times, in this case the SHA-256 hash. But what is a salt value? A salt is some random data that is passed in to the one-way function along with the password. As a result, you need the password and the salt to decrypt a file, making it harder to do so. We’re storing a 16-byte salt in a text file.
In this function we encrypt a file. It takes three arguments: the key that we generated from a password and a salt, the location of the original file and the location the new encrypted file should be saved. Firstly we read the contents of the original file, before initialising the Fernet cipher with the key. We then encrypt the data from the original file and write it to a new file before deleting the original file.
The next function is very similar to the encrypt_file function, except it decrypts files instead. Instead of
fernet.encrypt(), it uses
The final function is for generating a new salt.
os.urandom() is used to generate 16 bytes that are random enough to be cryptographically secure. Bear in mind that it replaces the existing salt file, so if you have any files encrypted with that salt you’ll be unable to decrypt them.
The program presents the user with four options: to encrypt a file, decrypt a file, generate a new salt or exit. While the user doesn’t choose exit, the program continues on a loop.
If the user chooses to encrypt a file, the program asks them for the location of the original and new files before asking them for a password. It then generates a key from the password and uses it to encrypt a file.
If they choose to decrypt a file, the same process occurs, except the
decrypt_file function is used instead.
The final choice is to generate a new salt. The user has to confirm that they are certain they want to do this before the program goes ahead. At the end of the loop the menu is presented again.
You can find the full program on GitHub here.
Now we can test our program! We can start with an easier file: a text file.
Then we start our program and select option 1 to encrypt a file:
As you can see, the file is now unintelligible:
Now we can decrypt the file:
We can also do the same with a Word document:
As you can see, Word cannot even open the encrypted file. However, we can decrypt it.
Now you can encrypt your files! Remember that this tutorial is for educational purposes only – I haven’t tested the program extensively and so I don’t suggest you use it for storing any state secrets. Enjoy!