encryption

encryption

Tools for performing envelope encryption on GCP.

Functions

Name Description
decrypt_data Decrypt a data frame with the provided key.
decrypt_dek Decrypt a data encryption key using an asymmetric key held on KMS.
encrypt_data Encrypt a data frame.
encrypt_dek Encrypt the data encryption key.

decrypt_data

encryption.decrypt_data(encrypted, key)

Decrypt a data frame with the provided key.

Parameters

Name Type Description Default
encrypted bytes Data to be decrypted. required
key bytes Key used to encrypt the data. required

Returns

Type Description
pandas.pandas.DataFrame Decrypted data frame.

decrypt_dek

encryption.decrypt_dek(encrypted, party, location='global', version=1, **kwargs)

Decrypt a data encryption key using an asymmetric key held on KMS.

Owing to the nature of the encryption key set-up of pprl this function is only really to be used in the GCP Confidential Space set up by the linkage administrator.

Parameters

Name Type Description Default
encrypted bytes Key to be decrypted. required
party str Name of the party whose key we are decrypting. required
location str Location of the keyring on which the key lives. 'global'
version int | str Version of the asymmetric key to get from GCP. Default is 1. 1
**kwargs dict Keyword arguments to pass when creating an instance of google.cloud.kms.KeyManagementServiceClient. {}

Returns

Type Description
bytes Decrypted data encryption key.

encrypt_data

encryption.encrypt_data(data, key=None)

Encrypt a data frame.

Parameters

Name Type Description Default
data pandas.pandas.DataFrame Dataframe to encrypt. required
key bytes Fernet key to encrypt data frame. If not specified, create one. None

Returns

Type Description
bytes Encrypted data frame.
bytes Fernet key used to encrypt data frame.

encrypt_dek

encryption.encrypt_dek(dek, party, location='global', version=1, **kwargs)

Encrypt the data encryption key.

We encrypt the data encryption key using the public key portion of an asymmetric key retrieved from the GCP Key Management Service.

Parameters

Name Type Description Default
dek bytes Data encryption key to be encrypted. required
party str Name of the party. required
location str Location of the keyring on which the key lives. 'global'
version int | str Version of the asymmetric key to get from GCP. Default is 1. 1
**kwargs dict Keyword arguments to pass when creating an instance of google.cloud.kms.KeyManagementServiceClient. {}

Returns

Type Description
bytes Encrypted data encryption key.