Automatic security in Python

I need a simple platform-independent Python script that does the following:
import subprocess # Take a sensitive string as input # Encrypt the string # Store the encrypted string (i.e., to use it later on with user interaction) # Read the stored encrypted string # Pass the decrypted string to a subprocess.run()
I need all of these steps to be safe

Some of the problems are that Python can't wipe data in memory, also I don't know if it is even possible to store encrypted data safely and at the same time decrypt it without any user interaction

There's a lot you're not telling us.

Is this a web application? Will the code run on a server? What kind of string needs to be encrypted? Why does it need to be decrypted? How long will the string be stored/used? How often will it be retrieved/decrypted? Who's key will be used to encrypt the string?

Security is never "automatic". It depends on a lot of variables that you have to think hard on.

Stephan van Hulst wrote:There's a lot you're not telling us.

Is this a web application? Will the code run on a server? What kind of string needs to be encrypted? Why does it need to be decrypted? How long will the string be stored/used? How often will it be retrieved/decrypted? Who's key will be used to encrypt the string?

Security is never "automatic". It depends on a lot of variables that you have to think hard on.

I want to create an encrypted 7z archive daily using 7-Zip software (i.e. using subprocess.run()), so:
- The sensitive string holds the password
- The string should be decrypted and passed as an argument to 7z exectutable, something like this:
subprocess.run(["7z", "a", "-t", "7z", "archive.7z", data_dir, "-ms", "off", "-mhe", "on", "-p", password], shell=False)
- The code won't run on a server and won't be used in a web app
- It will be retrieved twice daily, once for creating the archive and once for testing its integrity
- It should remain stored for as long as possible, at least 30 days

Regarding the word "automatic", I just meant that everything is done without user involvement while still being secure

Well now, you've gone and created a problem: which key are you going to use to encrypt the password?

Either the application will need to ask you for a key so it can decrypt the archive password, or it needs to store the key in some file.

If it needs to ask you for a key, you might as well enter the zip password directly. If instead you store the encryption key on disk, you might as well store the zip password on disk unencrypted.

Stephan van Hulst wrote:Well now, you've gone and created a problem: which key are you going to use to encrypt the password?

Either the application will need to ask you for a key so it can decrypt the archive password, or it needs to store the key in some file.

If it needs to ask you for a key, you might as well enter the zip password directly. If instead you store the encryption key on disk, you might as well store the zip password on disk unencrypted.

I want to protect the password with something that is device-specific (e.g., something like TPM (I have 1.2) but I don't have enough knowledge about it), I don't care much about having the stored password remain accessible since I only store it for automation

If not possible, then maybe I would have to use an easier password or PIN to encrypt it

Regardless, I don't know how to implement these steps securely

I did some looking around, but I couldn't find Python libraries that directly target TPM 1.2. That's not to say that there aren't any!

I discovered that Microsoft offers a Python implementation of their TPM software stack. Note that this targets TPM 2.0. Whether it is usable for an architecture that includes TPM 1.2 hardware, I don't know.

Microsoft's CNG API offers a way to store persistent keys in hardware security modules. Maybe you can call it from your Python application using Pybind or Nanobind.

Before we continue recommending an approach to you, please explain the full use case to us. Why are you creating an encrypted archive? What does it contain? On what system will the application be running? How does the current user relate to the archive? Are they the owner of the archive? Are they the owner of the system creating the archive? What happens to the archive after it's created? How does the application get started? Does the application keep running after it's started, or is it invoked periodically?

I appreciate your efforts!

A user uses this software on his Windows PC (and preferably Linux and MacOS too) to create encrypted backups in a folder which is actively synchronized by a cloud sync software of any provider to create cloud backups without worrying about privacy... The scheduling is done by an external scheduling tool (e.g. Task Scheduler)... The program terminates once archive creation and integrity testing is done

After thinking about it, I found out that I totally missed the fact that the data being backed up itself would be stored unencrypted on the user's device; so the data is already vulnerable once his device is compromised; so storing the password securely isn't going to offer any benefit

Anyways, I think I found a solution regarding encrypting the password with OS user credentials: https://pypi.org/project/keyring/