From afa84f10a2077b2365c30a133ae943e96c1c1ee8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 27 May 2017 15:11:24 -0500 Subject: strongly encourage the use of fernet, document its limitation (#3623) --- docs/fernet.rst | 7 +++++++ docs/hazmat/primitives/symmetric-encryption.rst | 3 +++ 2 files changed, 10 insertions(+) diff --git a/docs/fernet.rst b/docs/fernet.rst index 0c1eb43d..65f70cf4 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -163,6 +163,13 @@ Specifically it uses: For complete details consult the `specification`_. +Limitations +----------- + +Fernet is ideal for encrypting data that easily fits in memory. As a design +feature it does not expose unauthenticated bytes. Unfortunately, this makes it +generally unsuitable for very large files at this time. + .. _`Fernet`: https://github.com/fernet/spec/ .. _`specification`: https://github.com/fernet/spec/blob/master/Spec.md diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index e99c2c0a..8b047b8c 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -16,6 +16,9 @@ decrypt them. For this reason it is **strongly** recommended to combine encryption with a message authentication code, such as :doc:`HMAC `, in an "encrypt-then-MAC" formulation as `described by Colin Percival`_. +``cryptography`` includes a recipe named :doc:`/fernet` that does this for you. +**To minimize the risk of security issues you should evaluate Fernet to see if +it fits your needs before implementing anything using this module.** .. class:: Cipher(algorithm, mode, backend) -- cgit v1.2.3