Welcome to the next pikoTutorial!

In one of the previous articles we learned how to perform symmetric data encryption using Python. The last example was about direct conversion of a user provided password to the encryption key. Although it works, this is not the recommended way to do that. Today you will learn about the recommended one which is key derivation function.

Key derivation function

Below you can find the extended example of how to use PBKDF2HMAC key derivation function in Python:

# import utility for Base64 encoding
import base64
# import Fernet
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes
# import getpass for secure input reading
from getpass import getpass
# read plain text password
plain_text_password: str = getpass(prompt='Password: ')
# convert the password to bytes
password_bytes = plain_text_password.encode('utf-8')
# some salt value for demonstration, use a secure random value in practice
salt = b'\x00' * 16
# use PBKDF2HMAC to derive a secure key from the password
kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=salt,
    iterations=100000
)
# encode the derived key with Base64
key = base64.urlsafe_b64encode(kdf.derive(password_bytes))
# create a Fernet instance with the derived key
fernet = Fernet(key)
# data to be encrypted
data = b'Some secret data'
# encrypt the data
encrypted_data = fernet.encrypt(data)
# decrypt the data
decrypted_data = fernet.decrypt(encrypted_data)
# print the decrypted data
print(f"Decrypted text: {decrypted_data.decode()}")

Key created this way is not only safer, but also no longer requires plain text password to be exactly 32 bytes long.

Note for beginners: remember that salt is mandatory to decrypt the data!