kdbxtool.security.crypto¶
Cryptographic primitives and utilities for kdbxtool.
This module provides: - Constant-time comparison functions for authentication - Cipher abstractions for KDBX encryption - HMAC utilities for integrity verification
All cryptographic operations use well-audited libraries (PyCryptodome).
Functions
|
Compute HMAC-SHA256 of data using the given key. |
|
Compare two byte sequences in constant time. |
Generate cryptographically secure random bytes. |
|
|
Verify HMAC-SHA256 in constant time. |
Classes
|
Supported ciphers for KDBX encryption. |
|
Context for encrypting or decrypting data with a KDBX cipher. |
- class kdbxtool.security.crypto.Cipher(*values)[source]¶
Bases:
EnumSupported ciphers for KDBX encryption.
KDBX supports three ciphers: - AES-256-CBC: Traditional cipher, widely supported - ChaCha20: Modern stream cipher, faster in software - Twofish-256-CBC: Legacy cipher, requires oxifish package
Note: KDBX uses plain ChaCha20, not ChaCha20-Poly1305. Authentication is provided by the HMAC block stream.
The UUID values are defined in the KDBX specification.
- AES256_CBC = b'1\xc1\xf2\xe6\xbfqCP\xbeX\x05!j\xfcZ\xff'¶
- CHACHA20 = b'\xd6\x03\x8a+\x8boL\xb5\xa5$3\x9a1\xdb\xb5\x9a'¶
- TWOFISH256_CBC = b'\xadh\xf2\x9fWoK\xb9\xa3j\xd4z\xf9e4l'¶
- classmethod from_uuid(uuid_bytes)[source]¶
Look up cipher by its KDBX UUID.
- Parameters:
uuid_bytes (bytes) – 16-byte cipher identifier from KDBX header
- Returns:
The corresponding Cipher enum value
- Raises:
ValueError – If the UUID doesn’t match any known cipher
- Return type:
- kdbxtool.security.crypto.constant_time_compare(a, b)[source]¶
Compare two byte sequences in constant time.
This prevents timing attacks where an attacker could measure response time differences to deduce secret values.
- kdbxtool.security.crypto.secure_random_bytes(n)[source]¶
Generate cryptographically secure random bytes.
Uses os.urandom which is suitable for cryptographic use.
- kdbxtool.security.crypto.compute_hmac_sha256(key, data)[source]¶
Compute HMAC-SHA256 of data using the given key.
- kdbxtool.security.crypto.verify_hmac_sha256(key, data, expected_mac)[source]¶
Verify HMAC-SHA256 in constant time.
- class kdbxtool.security.crypto.CipherContext(cipher, key, iv)[source]¶
Bases:
objectContext for encrypting or decrypting data with a KDBX cipher.
This class wraps PyCryptodome cipher implementations with a consistent interface for KDBX operations.
- __init__(cipher, key, iv)[source]¶
Initialize cipher context.
- Parameters:
- Raises:
ValueError – If key or IV size is incorrect
TwofishNotAvailableError – If Twofish requested but oxifish not installed
- Return type:
None