Demand:
Do not know if you have encountered such a demand: their own server for the protection of database security, the need to encrypt the stored data protection. In case the database is taken, no one else can get the contents of the database. There is also a premise: the front-end display page is not public, need to verify to enter. Why this, is because the front-end of the content must be clear text, or how the manager read the view (this also leaves a chance for the crawler, but the key is that you can get the manager's password).
Background introduction:
- The system database is based on MongoDB;
- The language used in the background is python;
- Python interacts with the database primarily with the help of Pymongo.
Find a breakthrough:
From here we can probably find that there are two places to start:
- The data is decrypted every time the database operation is performed. Specifically, it is: adding and deleting the data before the encryption (so as to find in the database), to find the data after the decryption (so that the contents of the text can be displayed);
- Modify the library Pymongo that interacts with the database, allowing it to encrypt the storage and decrypt the read.
Compare the pros and cons of the next two approaches:
The first scenario: the implementation is simple, but not suitable for large projects. Once the project is large, the operation of the database is not likely to be implemented entirely through a database operation module, which makes it cumbersome to modify;
The second scenario: transparent to the business logic. Do not need to modify the site code, but need to pymongo the source of the analysis, to find and add and delete to change the corresponding key points, in these key points on the encryption and decryption operations.
There are many modules because of the fact that your project is not small. So the second option was chosen.
Specific steps:
- Implementing the Add-decryption function library
Now that the encryption and decryption operations are needed, it is clear that you need to implement your own decryption function. In the implementation, I used the Pycrypto encryption library, using the AES encryption algorithm to add and decrypt the document. Encryption and decryption process is not difficult, using recursive implementation, the code is implemented as follows:
1 fromCrypto.cipherImportAES2 ImportBson3 fromBson.binaryImportBinary, Uuidlegacy4 fromPymongoImportConfig5 6Key =Config.key7 8obj =aes.new (Key)9 Ten defEncrypt_helper (s): OneLength =-(len (s)% 16) As + = chr (length) *length -s =Obj.encrypt (s) -s = Binary (S, 1) the returns - - defDecrypt_helper (s): -s =Obj.decrypt (s) +BUF =ByteArray (s) -Length = Buf[-1] +s = s[:-Length] A returns at - defEncrypt_doc (DOC): - ifisinstance (Doc, str): - returnEncrypt_helper (DOC) - ifisinstance (Doc, dict): - forKeyinchDoc: in ifCMP (Key,"Channel") !=0: -Doc[key] =Encrypt_doc (Doc[key]) to returnDoc + - ifisinstance (Doc, list): the forIinchRange (len (DOC)): *Doc[i] =Encrypt_doc (Doc[i]) $ returnDocPanax Notoginseng returnDoc - the + defDecrypt_doc (DOC): A ifisinstance (Doc, Binary): the returnDecrypt_helper (DOC) + ifisinstance (Doc, dict): -Temp_doc = {} $ forKeyinchDoc: $ #version 1 - #Doc[key] = Decrypt_doc (Doc[key]) - the #Version 2 -TEMP_DOC[STR (key)] =Decrypt_doc (Doc[key])WuyiDoc =Temp_doc the returnDoc - Wu ifisinstance (Doc, list): - forIinchRange (len (DOC)): AboutDoc[i] =Decrypt_doc (Doc[i]) $ returnDoc - returnDoc
View Code
2. Locate the code in the Pymongo for the add-and-remove operation and insert the decryption operation
After reading Pymongo code found that the operation is mainly in two files: collection.py,cursor.py. So in the process of implementation, I only modified the relevant parts of the two files (note that I use the Pymongo version is 2.7, if the use of other versions may be different).
I'll simply list the functions I've modified, and you'll be interested to see the entire implementation on GitHub:
-
- collection.py:
- Insert
- Update
- Find_one
- Remove
- Aggregate
- cursor.py
- __getitem__
- __send_message
Interested can look at the code, GitHub address: Https://github.com/ybAmazing/encrypt_pymongo
Thinking and summarizing
The necessity of this function, I myself was skeptical. Because of the hacker technology is not very understanding, also can not say why. If you have any ideas or suggestions, you can leave a message, exchange and learn from each other.
MongoDB Database Encrypted Storage