AES Encryption

[cp...@usc.edu]

Is there a blog or website dedicated to helping Django developers handle PII? I'd like to use AES 256 encryption to store all of our fields but have no guidance on the best practices for implementing security measures.

[Alex Heyden]

PyCrypto would be the Python-side library if you wanted to handle this in application code, but personally, I'd prefer to handle it in my database of choice. A lot of us use Postgres, and there's a django-pgcrypto library for that.

That being said, reversible ciphers are hard to do meaningfully. You'd need some sort of attack vector that includes getting unauthorized access to the database, but not via the authorized application, an authorized user, or access to the machine where the keys are readable. Often enough, that means you messed up the auth rules on your database, RBAC in your application code, or your OS read permissions, and you can't cipher your way out of those issues. A lot of that isn't really Django-centric, and because it's so rare to have a risk that's mitigated like that, most developers just don't do it, and not just out of laziness. 

What you might actually want is row-level read access, and something like django-guardian would help you manage object-level permissions in the admin screen.

If you're looking for further reading, OWASP really is the gold standard for web security information. The site looks like amateur hour, but it's not maintained by UI experts, it's maintained by security experts. It's practically required reading in most security-conscious corporate environments.

And finally, when in doubt, throw it away. It's a lot harder to have a breach of data you didn't store anywhere.

On Sat, Jan 19, 2019 at 8:59 PM <cp...@usc.edu> wrote:

Is there a blog or website dedicated to helping Django developers handle PII? I'd like to use AES 256 encryption to store all of our fields but have no guidance on the best practices for implementing security measures.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/64a50014-df54-4ec7-a4b1-f60879385c15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.