Fernet (Pure Python Implementation)

Common errors

• TypeError: token must be bytes.

  cause The `decrypt()` method was called with a string instead of a bytes object.
  fix Ensure the encrypted token passed to `decrypt()` is a bytes object. If you loaded it from storage, ensure it's read in binary mode (e.g., `rb`) and not decoded prematurely.

• TypeError: key must be bytes.

  cause The Fernet key provided during initialization (`Fernet(key)`) was a string instead of a bytes object.
  fix Ensure the key is a bytes object. Keys are typically generated as bytes and should be handled as such. If loading from a file, read it in binary mode (`'rb'`).

• ValueError: Fernet key must be 32 url-safe base64-encoded bytes.

  cause The key used to initialize `Fernet()` is not the correct length (32 bytes) or is not properly URL-safe base64 encoded.
  fix Always use `Fernet.generate_key()` to create a valid key. If loading a key, ensure it hasn't been corrupted or modified and is still a 32-byte URL-safe base64-encoded bytes string.

Warnings

• breaking This 'fernet' library (PyPI package 'fernet', GitHub 'oz123/python-fernet') is a *pure Python reference implementation* and is **NOT RECOMMENDED for production or security-sensitive applications**. The actively maintained, robust, and cryptographically secure Fernet implementation is provided by the `cryptography` library (import `from cryptography.fernet import Fernet`).
  Fix: For any secure or production use case, switch to `cryptography.fernet`. Install with `pip install cryptography` and use `from cryptography.fernet import Fernet`.
• deprecated The `fernet` library by `oz123` was last updated in September 2016 and is not actively maintained for security patches or new features. Using an unmaintained cryptographic library can expose your application to known and unknown vulnerabilities.
  Fix: Migrate to `cryptography.fernet` which is actively developed and receives regular security audits and updates.
• gotcha The `fernet` library's `encrypt()` and `decrypt()` methods strictly require `bytes` objects as input. Passing plain strings will result in a `TypeError` or incorrect behavior.
  Fix: Ensure all plaintext messages are encoded to bytes (e.g., `"hello".encode('utf-8')`) before encryption, and decrypted messages are decoded from bytes to string (e.g., `decrypted_message.decode('utf-8')`) for string manipulation.

Install

• pip install fernet Install Fernet

Imports

• Fernet
  wrong:

  from cryptography.fernet import Fernet

  correct:

  from fernet import Fernet

  This is the import for the pure Python 'fernet' package. For secure applications, you should use 'from cryptography.fernet import Fernet' from the 'cryptography' library.

Quickstart

This quickstart demonstrates how to generate a key, encrypt a message, and decrypt it using the `fernet` library. Keys and messages must be bytes. Remember to store your generated key securely, as anyone with the key can decrypt your data. This example is for demonstration; for production, use `cryptography.fernet`.

import os
from fernet import Fernet

# Generate a new Fernet key. This must be kept secret and securely stored.
# In a real application, you would load this from a secure configuration.
key = Fernet.generate_key()
print(f"Generated Key: {key.decode()}")

# Instantiate Fernet with the key
f = Fernet(key)

# Original message (must be bytes)
original_message = b"My super secret message"

# Encrypt the message
encrypted_message = f.encrypt(original_message)
print(f"Encrypted Message: {encrypted_message}")

# Decrypt the message
decrypted_message = f.decrypt(encrypted_message)
print(f"Decrypted Message: {decrypted_message.decode()}")

# Verify decryption
assert original_message == decrypted_message
print("Decryption successful!")