Protect python code including a password, encrypt?

Question

I am trying to run a python script on a remote server which i dont trust. The script contains a password that is kind of important. What would be a good way to protect that code/password? I would give it as an argument or i could prompt input on the terminal but that would be saved in history.

The best way to protect the password would be not giving it to an untrustworthy server. — wwii, May 11 '17 at 19:10

score 0 · Answer 1 · answered Jul 18 '17 at 08:17

Store password with code on untrustworthy server, that definitely unsafe. You have to change the way like below if you can.

on the server you control, encrypt password with pub_key

general the different pub_key/private_key every request
the client you don't trust get id and encrypt_msg with auth
the password_required server get the id and private_key and decrypt encrypt_msg from client and compare the password.
delete the auth if the client is useless any more.

ForeverLearner · Answer 2 · 2017-05-14T08:12:48.053

The ideal way to handle it would be using REST-Api calls from a trusted server. On the untrusted server, you can store the encoded password.

EDIT 1: As @Luke has pointed out in the comments below, base64 owing to its simplicity can be easily decrypted. As suggested, we should implement a symmetric algorithm and then store the key on your trusted server.

You can explore the pycrypto library that has AES, DES etc. The link for pypi .

import base64
encoded = base64.urlsafe_b64encode('MyPassword')
## returns 'TXlQYXNzd29yZA=='

Store this on the un-trusted server and then decode on the trusted server to generate the expiry-based password.

import base64
original = base64.urlsafe_b64decode(encoded)
# Returns MyPassword

Step-1 : Setup a password generation program on your trusted server
Step-2 : Define the get and post methods for your program
Step-3 : From the remote server, first do a GET Authorization token command. If this token matches, generate a password with time-limit expiry.
Step-4 : Handover this to the server. Reset it after the expired time.

Sample post calls to get temporary passoword will be:

curl -L https://sandbox.trustedserver.com/v1.0/oauth/token/
-X  post
-H  'Content-Type: application/json'
-H  'Authorization: Basic [Base64_Credentials]'
-d '{ "grant_type": "client_credentials" }

Sample response will be a access token that expires in 500 seconds:

    {
    "token_type": "bearer",
    "access_token": "TXlQYXNzd29yZA==",
    "expires_in": 500
}

Hope it helps.

Uhhhhh... What if the untrusted server just base64 decodes the password? — Luke Joshua Park, May 11 '17 at 20:23
@LukePark As long as it is shared, you will always have that possibility. Ideally, servers should have SSL encryption enabled and have a certificate mechanism in place. But, that is not the OP's problem though — ForeverLearner, May 11 '17 at 20:34
Well, no, that won't always be a possibility? You could just as easily stored the password encrypted using a symmetric algorithm on the untrusted server and keep the key on the trusted server... I'm also not sure why the comment about "SSL encryption" and "certificate mechanism" (whatever you mean by that) is relevant. The problem with base64 encoding is still present regardless of whether the connection is tunneled through TLS. — Luke Joshua Park, May 11 '17 at 21:13

Protect python code including a password, encrypt?

2 Answers2