Encryptor
Encryption utilities for gllm_datastore.
AESGCMEncryptor(key)
Bases: BaseEncryptor
AES-GCM 256 Encryptor that accepts keys directly.
This class provides AES-GCM symmetric encryption and decryption methods with a 256-bit key provided directly by the client.
Attributes:
| Name | Type | Description |
|---|---|---|
key |
bytes
|
256-bit encryption key. |
aesgcm |
AESGCM
|
AES-GCM instance. |
Initialize AESGCMEncryptor with a direct key.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
key |
bytes
|
256-bit encryption key. |
required |
Raises:
| Type | Description |
|---|---|
ValueError
|
If key length is not 256 bits. |
decrypt(ciphertext)
Decrypts the AES-GCM ciphertext.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
ciphertext |
str
|
The ciphertext in base64 format to be decrypted. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
The decrypted plaintext data. |
encrypt(plaintext)
Encrypts the plaintext using AES-GCM with a random nonce.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
plaintext |
str
|
The plaintext data to be encrypted. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
The encrypted data, encoded in base64 format. |
KeyRotatingEncryptor(key_ring, active_key_id)
Bases: BaseEncryptor
Encryptor that supports key rotation through a key ring.
This encryptor uses a BaseKeyRing to manage multiple encryption keys. Users must specify which key to use for encryption and decryption operations.
Attributes:
| Name | Type | Description |
|---|---|---|
key_ring |
BaseKeyRing
|
The key ring managing encryption keys. |
active_key_id |
str
|
The ID of the current key to use for encryption. |
Initialize KeyRotatingEncryptor with a key ring.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
key_ring |
BaseKeyRing
|
The key ring to use for key management. |
required |
active_key_id |
str
|
The ID of the current key to use for encryption. |
required |
active_key_id: str
property
writable
Get the ID of the current key to use for encryption.
decrypt(ciphertext)
Decrypt ciphertext the key detected from metadata.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
ciphertext |
str
|
The encrypted data with key metadata. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
The decrypted plaintext. |
Raises:
| Type | Description |
|---|---|
ValueError
|
If the data format is invalid or decryption fails. |
KeyError
|
If the required key is not available. |
encrypt(plaintext)
Encrypt plaintext using the specified key.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
plaintext |
str
|
The plaintext to encrypt. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
The encrypted data with key metadata, encoded in base64. |
Raises:
| Type | Description |
|---|---|
KeyError
|
If the specified key does not exist. |