Skip to content

Commit

Permalink
[SCHEMA][DEPENDENCIES] Encryption of secrets (passwords, refresh_toke…
Browse files Browse the repository at this point in the history 
…ns) and blocks.

Summary:
We use PyNaCl's symmetric key encryption scheme, which implements
the Salsa20 stream cipher algorithm, with a unique 24-byte nonce that
is generated at each invocation and a static key that:
- is generated using the bin/create-encryption-keys script
- stored in the secrets config file specified in the config.
(defaults are: etc/secrets-dev.yml, etc/secrets-test.yml)

This implementation replaces our previous local/remote vault.

NOTE:
We currently use our own fork of pynacl, due to install issues with pyca/pynacl.
See dicussion here: pyca/pynacl#106
Our fork does *not* change any functionality, merely fixes a typo in the name of a test.
TODO: Move to PyNaCl once that's resolved and we can actually install it.

Test Plan:
Added -
tests/general/test_secret.py
tests/general/test_storage.py

All tests pass.
Sync runs as before for an oauth and password test account.

Reviewers: spang, dlitz

Reviewed By: dlitz

Subscribers: dlitz, emfree

Differential Revision: https://review.inboxapp.com/D358
  • Loading branch information
@kav-ya
kav-ya authored and Charles Gruenwald committed Sep 3, 2014
1 parent f25dbab commit 718253b
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,8 @@ git+https://github.com/kav-ya/pynacl.git@libsodium_fix#egg=pynacl
pyaml==14.05.7
enum==0.4.4
git+https://github.com/inboxapp/inbox-python.git@master#egg=inbox-python
-e git://github.com/inboxapp/inbox-python.git@master#egg=inbox-python
#pynacl==0.2.3
-e git://github.com/kav-ya/pynacl.git@libsodium_fix#egg=pynacl
pyaml==14.05.7
enum==0.4.4

0 comments on commit 718253b

Please sign in to comment.