My journey of python is going well and with my New role, I have to do more work on it
I have started enjoying it and now sharing my recent learning.
I need to connect to Office 365 graph API using python, I have generated the token and build mechanism to refresh it as every hour access token expires.
Challenge is how to store it in a secure way?
In PowerShell you use Windows Data Protection API and encrypt the password or token and store it on the machine.
With Python you can utilize Windows Credential manager to store password in a secure way (this also belongs to User/Machine context so unless user password is compromised password is secure same as in case of PowerShell)
- How to achieve it?
You can use Keyring module in python and can easily store/retrieve passwords from credentials store.
https://pypi.org/project/keyring/
pip install keyring
- To store the password in credential manager:
import keyring
keyring.set_password(‘AirwatchDev’,’APIKey’,’ssjhfkjbjkbrqekjbnerkqnqrekjgnq67567=’)
- To retrieve the password in credential manager:
import keyring
Apikey = keyring.get_password(‘AirwatchDev’,’APIKey’)
This still do not resolve my issue as this is good for password storing but for token it gives length error as windows credential manager has limit on number of characters.
To encrypt the token, I used the following approach:
- Generate a key using cryptography
- Stored that key in Windows Credentials Manager using keyring.
- Encrypted the token with that key
- Stored that token on the file system on the automation server from where script is running.
First install the cryptography module
https://pypi.org/project/cryptography/
pip install cryptography
- To generate the key
from cryptography.fernet import Fernet
key = Fernet.generate_key()
print(key)
- Now store this key in windows Credentials manager
keyring.set_password(‘auth_key’,’Key’,’
n9pyTx4ghJfbjz_81tCFPTWT84JDRBxQzlRtMfsr2zU=’) #ignore b’ it denote bytes
How to use the key and encrypt the token:
tokenfile= “E:\\tokenlocation\\SecToken.Bin”
Import keyring
auth_key = keyring.get_password(“‘auth_key'”, “Key”)
from cryptography.fernet import Fernet
cipher_suite = Fernet(str(auth_key))
ciphered_text1 = cipher_suite.encrypt((newaccess_token).encode())
with open(tokenfile, ‘wb’) as file_object: file_object.write(ciphered_text1) #writing encrypted token to file
- How to decrypt the encrypted token for usage:
cipher_suite = Fernet(auth_key)
with open(tokenfile, ‘rb’) as file_object:
for line in file_object:
encryptedpwd = line
uncipher_text = (cipher_suite.decrypt(encryptedpwd))
u_token = bytes(uncipher_text).decode(“utf-8”) #convert to string
reference for cryptography: https://www.mssqltips.com/sqlservertip/5173/encrypting-passwords-for-use-with-python-and-sql-server/
I hope this article will assist you in your python journey and will help you in securing the passwords or tokens.
For passwords you can just use keyring but for tokens definitely this approach is better rather than unencrypted tokens on filesystem. (As credential manger doesn’t allows to store them)
Thanks for reading …
Tech Wizard
Pingback: ADD and Remove Users from AD group – Python | Tech Wizard