Pepperdata pepper logo
Support Logout

Python Decryption Script

This python script shows how to decrypt an encrypted REST API response. Replace the script’s values with your environment’s values for the following variables:

  • key_str—The encryption key that you generated when you configured encryption for your cluster; see Configure Encryption (or the comparable page for a Supervisor version other than the latest).

  • cluster_name—Your cluster name.

  • encrypted_str—The encrypted string returned from a call to the Pepperdata REST API. Be sure to include the string’s prefix and postfix characters, -.. and ._, because the decrypt function looks for these characters.

# Pepperdata data decryption example for realms with encrypted data

import base64
import hashlib

# pip install pycrypto
import Crypto.Cipher.AES

# the decryption key
key_str = "notsecret"

# the pepperdata cluster name
cluster_name = "pd-emr-encrypted"


def decrypt(encrypted_str, key16, iv16):
    assert 16 == len(key16)
    assert 16 == len(iv16)
    assert "-.." == encrypted_str[0:3]  # Look for prefix delimiter for encrypted string
    assert "._" == encrypted_str[-2:]  # Look for postfix delimiter for encrypted string
    delimiter_removed_cipher_text = encrypted_str[3:-2]
    dot_translated_cipher_text = delimiter_removed_cipher_text.replace(".", "=")
    b64_decoded_cipher_text = base64.urlsafe_b64decode(dot_translated_cipher_text)
    aes = Crypto.Cipher.AES.new(key16,
                                mode=Crypto.Cipher.AES.MODE_CBC,
                                IV=iv16)
    decrypted_bytes = aes.decrypt(b64_decoded_cipher_text)
    decrypted_stripped_bytes = _strip_pkcs7_padding(decrypted_bytes)
    return decrypted_stripped_bytes.decode(encoding="UTF_8")


def _strip_pkcs7_padding(padded):
    """
    Strip pkcs7-style padding.
    :param bytes padded: The padded input byte sequence.
    :rtype: bytes
    """
    padding_byte = padded[-1]
    padding_byte_count = padding_byte
    return padded[:-padding_byte_count]


def test():
    iv_str = cluster_name
    key_bytes = key_str.encode("UTF-8")
    iv_bytes = iv_str.encode("UTF-8")

    key_hashed = hashlib.sha1(key_bytes).digest()[:16]  # Limit to first sixteen bytes
    iv = hashlib.sha1(iv_bytes).digest()[:16]  # Limit to first sixteen bytes

    encrypted_str = '-..XPPYxRor6XEwn9K4WHq9V4A-EYZnYWbGXOCBJ2anOLcFMPscOBA6oIG8iXn7cZBH._'

    print('encrypted string is {}'.format(encrypted_str))
    decrypted_text = decrypt(encrypted_str, key_hashed, iv)
    print('decrypted string is {}'.format(decrypted_text))


test()