简体繁体 English

在python模块中封装/隐藏秘密

[英]Encapsulate/hide a secret in a python module

原文 2019-02-18 12:15:28 6 1 python/ python-3.x

Currently I'm running a microservice that does some transformation involving a secret with a string it receives and returns the new string.目前我正在运行一个微服务，它执行一些转换，涉及一个带有字符串的秘密，它接收并返回新字符串。 So the data is moved across the network to the function.所以数据通过网络移动到函数。

However, to improve the performance, its preferable if the function comes to the data.但是，为了提高性能，如果函数涉及数据，则更可取。 It would be great to have a local python module (we are set to python here) that performs the transformation and only receives the secret at initialisation.最好有一个本地 python 模块（我们在这里设置为 python）来执行转换并且只在初始化时接收秘密。

So now the question: How can I store (temporarily) the secret in a way, that the user of the module is not able to read it?那么现在的问题是：如何以某种方式存储（临时）秘密，模块的用户无法读取它？ Its not a strong secret, so it does not need fancy crypto here.这不是一个强大的秘密，所以这里不需要花哨的加密。 But it should prevent the user from reading it without any effort, as the python "private" class variable allows.但它应该防止用户不费吹灰之力就阅读它，因为python“私有”类变量允许。

1 个解决方案

Since the user can presumably just edit the module to intercept the secret as it's being received from the network, and see how it's accessed, there's not much to gain security-wise from obfuscating how it's stored.由于用户可能只是编辑模块以拦截从网络接收到的秘密，并查看它是如何访问的，因此通过混淆它的存储方式并没有太多的安全方面的好处。

Either way, if you really do want to do this, I'd suggest sneaking it into somewhere else than your module;不管怎样，如果你真的想这样做，我建议你把它偷偷放到你的模块之外的其他地方； for instance, you could slip it into the namespace of a builtin module like sys ... But again, the moment someone reads your module's code (either from the .py or by decompiling), they will see what's happening.例如，您可以将它插入到像sys这样的内置模块的命名空间中……但同样，当有人读取您模块的代码（从 .py 或通过反编译）时，他们将看到发生了什么。