Python Decryption Script

This python script shows how to decrypt an encrypted REST API response. Replace the script’s values with your environment’s values for the following variables:

  • key_str—The encryption key that you generated when you configured encryption for your cluster; see Configure Encryption (or the comparable page for a Supervisor version other than the latest).

  • cluster_name—Your cluster name.

  • encrypted_str—The encrypted string returned from a call to the Pepperdata REST API. Be sure to include the string’s prefix and postfix characters, -.. and ._, because the decrypt function looks for these characters.

# Pepperdata data decryption example for realms with encrypted data

import base64
import hashlib

# pip install pycrypto
import Crypto.Cipher.AES

# the decryption key
key_str = "notsecret"

# the pepperdata cluster name
cluster_name = "pd-emr-encrypted"

def decrypt(encrypted_str, key16, iv16):
    assert 16 == len(key16)
    assert 16 == len(iv16)
    assert "-.." == encrypted_str[0:3]  # Look for prefix delimiter for encrypted string
    assert "._" == encrypted_str[-2:]  # Look for postfix delimiter for encrypted string
    delimiter_removed_cipher_text = encrypted_str[3:-2]
    dot_translated_cipher_text = delimiter_removed_cipher_text.replace(".", "=")
    b64_decoded_cipher_text = base64.urlsafe_b64decode(dot_translated_cipher_text)
    aes =,
    decrypted_bytes = aes.decrypt(b64_decoded_cipher_text)
    decrypted_stripped_bytes = _strip_pkcs7_padding(decrypted_bytes)
    return decrypted_stripped_bytes.decode(encoding="UTF_8")

def _strip_pkcs7_padding(padded):
    Strip pkcs7-style padding.
    :param bytes padded: The padded input byte sequence.
    :rtype: bytes
    padding_byte = padded[-1]
    padding_byte_count = padding_byte
    return padded[:-padding_byte_count]

def test():
    iv_str = cluster_name
    key_bytes = key_str.encode("UTF-8")
    iv_bytes = iv_str.encode("UTF-8")

    key_hashed = hashlib.sha1(key_bytes).digest()[:16]  # Limit to first sixteen bytes
    iv = hashlib.sha1(iv_bytes).digest()[:16]  # Limit to first sixteen bytes

    encrypted_str = '-..XPPYxRor6XEwn9K4WHq9V4A-EYZnYWbGXOCBJ2anOLcFMPscOBA6oIG8iXn7cZBH._'

    print('encrypted string is {}'.format(encrypted_str))
    decrypted_text = decrypt(encrypted_str, key_hashed, iv)
    print('decrypted string is {}'.format(decrypted_text))