MCPcopy Create free account
hub / github.com/Dstack-TEE/dstack / encrypt_env

Function encrypt_env

vmm/src/vmm-cli.py:260–319  ·  view source on GitHub ↗

Encrypts environment variables using a one-time X25519 key exchange and AES-GCM. This function does the following: 1. Converts the given environment variables to JSON bytes. 2. Removes a leading "0x" from the provided public key (if present) and converts it to bytes. 3. Genera

(envs, hex_public_key: str)

Source from the content-addressed store, hash-verified

258
259
260def encrypt_env(envs, hex_public_key: str) -> str:
261 """Encrypts environment variables using a one-time X25519 key exchange and AES-GCM.
262
263 This function does the following:
264 1. Converts the given environment variables to JSON bytes.
265 2. Removes a leading "0x" from the provided public key (if present) and converts it to bytes.
266 3. Generates an ephemeral X25519 key pair.
267 4. Computes a shared secret using this ephemeral private key and the remote public key.
268 5. Uses the shared key directly as the 32-byte key for AES-GCM.
269 6. Encrypts the JSON string with AES-GCM using a randomly generated IV.
270 7. Concatenates the ephemeral public key, IV, and ciphertext and returns it as a hex string.
271
272 Args:
273 envs: The environment variables to encrypt. This can be any JSON-serializable data structure.
274 hex_public_key: The remote encryption public key in hexadecimal format.
275
276 Returns:
277 A hexadecimal string that is the concatenation of:
278 (ephemeral public key || IV || ciphertext).
279
280 """
281 if not CRYPTO_AVAILABLE:
282 raise ImportError(
283 "Cryptography libraries not available. Please install them with:\n"
284 "pip install cryptography eth-keys eth-utils"
285 )
286
287 # Serialize the environment variables to JSON and encode to bytes.
288 envs_json = json.dumps({"env": envs}).encode("utf-8")
289
290 # Remove the "0x" prefix if present.
291 if hex_public_key.startswith("0x"):
292 hex_public_key = hex_public_key[2:]
293
294 # Convert the hexadecimal public key to bytes.
295 remote_pubkey_bytes = bytes.fromhex(hex_public_key)
296
297 # Generate an ephemeral X25519 key pair.
298 ephemeral_private_key = x25519.X25519PrivateKey.generate()
299 ephemeral_public_key = ephemeral_private_key.public_key()
300
301 # Compute the shared secret using X25519.
302 peer_public_key = x25519.X25519PublicKey.from_public_bytes(remote_pubkey_bytes)
303 shared = ephemeral_private_key.exchange(peer_public_key)
304
305 # Use the shared secret as a key for AES-GCM encryption (AES-256 needs 32 bytes).
306 aesgcm = AESGCM(shared)
307 iv = os.urandom(12) # 12-byte nonce (IV) for AES-GCM.
308 ciphertext = aesgcm.encrypt(iv, envs_json, None)
309
310 # Serialize the ephemeral public key to raw bytes.
311 ephemeral_public_bytes = ephemeral_public_key.public_bytes(
312 encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw
313 )
314
315 # Combine ephemeral public key, IV, and ciphertext.
316 result = ephemeral_public_bytes + iv + ciphertext
317

Callers 3

create_vmMethod · 0.85
update_vm_envMethod · 0.85
update_vmMethod · 0.85

Calls 1

generateMethod · 0.80

Tested by

no test coverage detected