gemstone_utils.crypto¶
Symmetric encryption registry, PBKDF2 primitive, and wire encoding helpers.
- gemstone_utils.crypto.DEFAULT_PBKDF2_ITERATIONS_STRONG = 600000¶
OWASP-style iteration count for PBKDF2-HMAC-SHA256 persisted KDF defaults.
- gemstone_utils.crypto.RECOMMENDED_DATA_ALG: Final[str] = 'A256GCM'¶
Default symmetric algorithm id for new field encryption and
data_algrows.
- gemstone_utils.crypto.SUPPORTED_SYM_ALGS: frozenset[str] = frozenset({'A256GCM'})¶
Registered symmetric algorithm ids (read-only; use
is_supported_sym_alg).
- class gemstone_utils.crypto.SymAlgSpec(key_length, validate_sym_params, encrypt_impl, decrypt_impl)[source]¶
Bases:
NamedTupleRegistered symmetric algorithm: key size, param validation, and crypto ops.
- Parameters:
- gemstone_utils.crypto.decrypt_alg(alg, key, ciphertext, params=None)[source]¶
Decrypt with a registered symmetric algorithm.
- Parameters:
- Returns:
Plaintext bytes.
- Raises:
ValueError – If
algis unsupported orparamsare invalid.- Return type:
- gemstone_utils.crypto.decrypt_with_alg(alg, key, blob)[source]¶
Decrypt with empty symmetric parameters (backward-compatible wrapper).
- Parameters:
- Returns:
Plaintext bytes.
- Raises:
ValueError – If
algis unsupported or decryption fails.- Return type:
- gemstone_utils.crypto.derive_pbkdf2_hmac_sha256(passphrase, salt, *, iterations, length=32)[source]¶
Derive key bytes with PBKDF2-HMAC-SHA256.
- gemstone_utils.crypto.encrypt_alg(alg, key, plaintext, params=None)[source]¶
Encrypt with a registered symmetric algorithm.
- Parameters:
- Returns:
A tuple
(ciphertext, updated_params). Persistupdated_paramsin the wire JSON segment when nonces or metadata are stored outside the blob.- Raises:
ValueError – If
algis unsupported orparamsare invalid.- Return type:
- gemstone_utils.crypto.encrypt_with_alg(alg, key, plaintext)[source]¶
Encrypt and return ciphertext only (backward-compatible wrapper).
Same as
encrypt_alg()with empty params, discardingupdated_params.- Parameters:
- Returns:
Ciphertext bytes.
- Raises:
ValueError – If
algis unsupported.- Return type:
- gemstone_utils.crypto.generate_key_by_alg(alg)[source]¶
Generate random key bytes sized for a registered algorithm.
- Parameters:
alg (str) – Registered symmetric algorithm id.
- Returns:
os.urandom(key_length)foralg.- Raises:
ValueError – If
algis not registered.- Return type:
- gemstone_utils.crypto.is_supported_sym_alg(alg)[source]¶
Return whether
algis a registered symmetric algorithm id.
- gemstone_utils.crypto.recommended_data_alg()[source]¶
Return the symmetric algorithm id recommended for new field encryption.
Matches the default for
KeyContext.algandGemstoneKeyRecord.data_alg.- Returns:
Algorithm id string (currently
RECOMMENDED_DATA_ALG).- Return type:
- gemstone_utils.crypto.sym_alg_key_length(alg)[source]¶
Return the required key length in bytes for a registered algorithm.
- Parameters:
alg (str) – Registered symmetric algorithm id.
- Returns:
Key length in bytes.
- Raises:
ValueError – If
algis not registered.- Return type: