Skip to main content

Encrypting sensitive data

Sensitive data such as tokens, keys, credit card numbers and other "secrets" must be stored at rest (database, files, client storage) in encrypted form to avoid data breaches.

Flet includes utility methods to encrypt and decrypt sensitive text data using symmetric algorithm (where the same key is used for encryption and decryption). They use Fernet implementation from cryptography package, which is AES 128 with some additional hardening, plus PBKDF2 to derive encryption key from a user passphrase.

Secret key

Encryption secret key (aka password, or passphrase) is an arbitrary password-like string configured by a user and used for encrypting and decrypting data. Crypto algorithm uses secret key to "derive" encryption key (32 bytes).


Do not embed any secrets into source code to avoid accidential exposure to a public!

You can provide a secret to your app via environment variable:

import os
secret_key = os.getenv("MY_APP_SECRET_KEY")

Before running the app set the secret in a command line:

$ export MY_APP_SECRET_KEY="<secret>"

While passing secrets via environment variables is a common practice amongst developers and service providers it does not fully prevent secrets leaking in some environments. Other mechanisms can be used to inject secrets to your application such as mounting secret files or vault services.

Encrypting data

Use encrypt() method to encrypt a string:

import os
from import encrypt, decrypt

secret_key = os.getenv("MY_APP_SECRET_KEY")
plain_text = "This is a secret message!"
encrypted_data = encrypt(plain_text, secret_key)

encrypted_data is a URL-safe base64-encoded string.

encrypt accepts strings only, so any objects must be serialized to JSON, XML or other text-based format before encryption.

Decrypting data

Use decrypt() method to decrypt the data:

import os
from import encrypt, decrypt

secret_key = os.getenv("MY_APP_SECRET_KEY")
encrypted_data = "601llp2zpPp4QjBWe2cOwGdBQUFBQUJqTTFJbmgyWU5jblVp..."
plain_text = decrypt(encrypted_data, secret_key)