diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-05-27 15:11:24 -0500 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2017-05-27 16:11:24 -0400 |
commit | afa84f10a2077b2365c30a133ae943e96c1c1ee8 (patch) | |
tree | b6fc79dbd407ee8a22718a09115b1e29303a2260 | |
parent | 35acb37330e8d8e079b19d9fde2e16003f0defab (diff) | |
download | cryptography-afa84f10a2077b2365c30a133ae943e96c1c1ee8.tar.gz cryptography-afa84f10a2077b2365c30a133ae943e96c1c1ee8.tar.bz2 cryptography-afa84f10a2077b2365c30a133ae943e96c1c1ee8.zip |
strongly encourage the use of fernet, document its limitation (#3623)
-rw-r--r-- | docs/fernet.rst | 7 | ||||
-rw-r--r-- | docs/hazmat/primitives/symmetric-encryption.rst | 3 |
2 files changed, 10 insertions, 0 deletions
diff --git a/docs/fernet.rst b/docs/fernet.rst index 0c1eb43d..65f70cf4 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -163,6 +163,13 @@ Specifically it uses: For complete details consult the `specification`_. +Limitations +----------- + +Fernet is ideal for encrypting data that easily fits in memory. As a design +feature it does not expose unauthenticated bytes. Unfortunately, this makes it +generally unsuitable for very large files at this time. + .. _`Fernet`: https://github.com/fernet/spec/ .. _`specification`: https://github.com/fernet/spec/blob/master/Spec.md diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index e99c2c0a..8b047b8c 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -16,6 +16,9 @@ decrypt them. For this reason it is **strongly** recommended to combine encryption with a message authentication code, such as :doc:`HMAC </hazmat/primitives/mac/hmac>`, in an "encrypt-then-MAC" formulation as `described by Colin Percival`_. +``cryptography`` includes a recipe named :doc:`/fernet` that does this for you. +**To minimize the risk of security issues you should evaluate Fernet to see if +it fits your needs before implementing anything using this module.** .. class:: Cipher(algorithm, mode, backend) |