Secure Password or Token on Windows – Python

/ February 9, 2022

My journey of python is going well and with my New role, I have to do more work on it

I have started enjoying it and now sharing my recent learning.

I need to connect to Office 365 graph API using python, I have generated the token and build mechanism to refresh it as every hour access token expires.

Challenge is how to store it in a secure way?

In PowerShell you use Windows Data Protection API and encrypt the password or token and store it on the machine.

With Python you can utilize Windows Credential manager to store password in a secure way (this also belongs to User/Machine context so unless user password is compromised password is secure same as in case of PowerShell)

  • How to achieve it?

You can use Keyring module in python and can easily store/retrieve passwords from credentials store.

https://pypi.org/project/keyring/

pip install keyring

  • To store the password in credential manager:

import keyring

keyring.set_password(‘AirwatchDev’,’APIKey’,’ssjhfkjbjkbrqekjbnerkqnqrekjgnq67567=’)

  • To retrieve the password in credential manager:

import keyring

Apikey = keyring.get_password(‘AirwatchDev’,’APIKey’)

This still do not resolve my issue as this is good for password storing but for token it gives length error as windows credential manager has limit on number of characters.

To encrypt the token, I used the following approach:

  1. Generate a key using cryptography
  2. Stored that key in Windows Credentials Manager using keyring.
  3. Encrypted the token with that key
  4. Stored that token on the file system on the automation server from where script is running.

First install the cryptography module

https://pypi.org/project/cryptography/

pip install cryptography

  • To generate the key

from cryptography.fernet import Fernet

key = Fernet.generate_key()

print(key)


  • Now store this key in windows Credentials manager

keyring.set_password(‘auth_key’,’Key’,’
n9pyTx4ghJfbjz_81tCFPTWT84JDRBxQzlRtMfsr2zU=’) #ignore b’ it denote bytes

How to use the key and encrypt the token:

tokenfile= “E:\\tokenlocation\\SecToken.Bin”

Import keyring

auth_key = keyring.get_password(“‘auth_key'”, “Key”)

from cryptography.fernet import Fernet

cipher_suite = Fernet(str(auth_key))

ciphered_text1 = cipher_suite.encrypt((newaccess_token).encode())

with open(tokenfile, ‘wb’) as file_object: file_object.write(ciphered_text1) #writing encrypted token to file

  • How to decrypt the encrypted token for usage:

cipher_suite = Fernet(auth_key)

with open(tokenfile, ‘rb’) as file_object:

for line in file_object:

encryptedpwd = line

uncipher_text = (cipher_suite.decrypt(encryptedpwd))

u_token = bytes(uncipher_text).decode(“utf-8”) #convert to string

reference for cryptography: https://www.mssqltips.com/sqlservertip/5173/encrypting-passwords-for-use-with-python-and-sql-server/

I hope this article will assist you in your python journey and will help you in securing the passwords or tokens.

For passwords you can just use keyring but for tokens definitely this approach is better rather than unencrypted tokens on filesystem. (As credential manger doesn’t allows to store them)

 

Thanks for reading …

Tech Wizard

https://techwizard.cloud

https://syscloudpro.com/

PowerShell Fast Track

 

Related posts

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s