-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathencryption_engine.py
More file actions
56 lines (48 loc) · 1.84 KB
/
encryption_engine.py
File metadata and controls
56 lines (48 loc) · 1.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
AES-256-GCM encryption engine for agent memory
Key is loaded from ENCRYPTION_KEY environment variable
"""
import os
import base64
import hashlib
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
class EncryptionEngine:
def __init__(self):
key_str = os.getenv("ENCRYPTION_KEY", "")
if not key_str:
print("[WARN] ENCRYPTION_KEY not set — encryption disabled (plaintext storage)")
self._enabled = False
self._aesgcm = None
else:
# Derive 32-byte key via SHA-256 so any string length works
self._key = hashlib.sha256(key_str.encode()).digest()
self._aesgcm = AESGCM(self._key)
self._enabled = True
print("[OK] AES-256-GCM encryption engine initialized")
@property
def enabled(self) -> bool:
return self._enabled
def encrypt(self, plaintext: str) -> str:
"""Encrypt plaintext string; returns base64(nonce[12] + ciphertext+tag)"""
if not self._enabled:
return plaintext
nonce = os.urandom(12)
ciphertext = self._aesgcm.encrypt(nonce, plaintext.encode("utf-8"), None)
return base64.b64encode(nonce + ciphertext).decode("ascii")
def decrypt(self, data: str) -> str:
"""Decrypt base64-encoded ciphertext back to plaintext"""
if not self._enabled:
return data
try:
raw = base64.b64decode(data.encode("ascii"))
nonce = raw[:12]
ciphertext = raw[12:]
plaintext = self._aesgcm.decrypt(nonce, ciphertext, None)
return plaintext.decode("utf-8")
except Exception as e:
print(f"[WARN] Decryption failed, returning raw value: {e}")
return data
# Global singleton
encryption_engine = EncryptionEngine()