Encrypt secrets in DB #96
Comments
|
The relevant part in the specification is the following:
Hardware encryption cannot be enforced by this package, but the encryption could be implemented. |
|
A possible package to perform the encryption would be: https://github.com/pyca/cryptography. |
|
Another possible package: https://github.com/defrex/django-encrypted-fields |
|
I've looked into this and the issue is that this package only stores the |
|
Perhaps a more thorough solution would involve |
|
Incidentally, I should probably take back my recommendation of |
|
Encryption doesn't really add any security in this case, unless you have a safe way to store the encryption keys. One possible solution would be to somehow derive a key from the user's password (you can use Django's pbkdf2 implementation for this, but don't use the stored password hash!) However, looking at django-otp's code this is currently not possible and would be best done in their TOTPDevice implementation. For now, a better solution is to use a secure store for the keys, something like Vault. |
A good practice is to encrypt or hash secret keys in DB. I would suggest to implement this. (Enhancement)
While for one-off keys one way hash functions such as scrypt/bcrypt are available, that's not the option for TOTP where the actual key value is needed. Simple encryption where the encryption key is not stored in DB suffice.
Encryption of secret keys is recommended by RFC 6238.
The text was updated successfully, but these errors were encountered: