https://github.com/stereobutter/aes-gcm-rsa-oaep
Kubeseal aes-gcm-rsa-oaep encryption implemented in python
https://github.com/stereobutter/aes-gcm-rsa-oaep
devops kubeseal sealed-secrets
Last synced: 12 days ago
JSON representation
Kubeseal aes-gcm-rsa-oaep encryption implemented in python
- Host: GitHub
- URL: https://github.com/stereobutter/aes-gcm-rsa-oaep
- Owner: stereobutter
- License: mit
- Created: 2022-09-07T18:06:26.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2024-03-04T13:46:42.000Z (over 2 years ago)
- Last Synced: 2025-04-10T23:45:50.759Z (about 1 year ago)
- Topics: devops, kubeseal, sealed-secrets
- Language: Python
- Homepage:
- Size: 26.4 KB
- Stars: 2
- Watchers: 1
- Forks: 1
- Open Issues: 7
-
Metadata Files:
- Readme: readme.md
- License: LICENSE
Awesome Lists containing this project
README
# AES-GCM + RSA OAEP encryption (as used by kubeseal)
## Installation
```
pip install aes-gcm-rsa-oaep
```
> :blue_book: This module depends on the `cryptography`(https://pypi.org/project/cryptography/) module. See [here](https://cryptography.io/en/latest/installation/#building-cryptography-on-linux) for instructions on how to install or build `cryptography` your platform.
## Usage
```python
from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key
from aes_gcm_rsa_oaep import encrypt, decrypt
private_key = generate_private_key(public_exponent=65537, key_size=4096)
public_key = private_key.public_key()
plaintext = b'hello world'
label='my-namespace/my-secret'
ciphertext = encrypt(plaintext, public_key, label)
assert plaintext == decrypt(ciphertext, private_key, label)
```
## Encryption Algorithm
The implementation follows and is compatible with https://github.com/bitnami-labs/sealed-secrets/blob/main/docs/developer/crypto.md
Encrypting a plaintext works as follows:
* a 256 bit random session key is generated
* AES-GCM is used to encrypt the plaintext using the session key
* the session key is encrypted using a provideded RSA public key
* the resulting payload is the concatenated RSA ciphertext length (2 bytes), the RSA encrypted session key and the AES encrypted plaintext
Decrypting a ciphertext works by following the procedure in reverse
* extraction of the RSA ciphertext length, RSA encrypted session key and the AES encrypted plaintext
* the session key is decrypted using the RSA private key
* the session key is used to decrypt the AES encrypted plaintext