Securing Python Applications with Cryptography Best Practices

By Robert F4 min readFebruary 18, 2026

Overview of the Cryptography Library

The cryptography library is a robust and user-friendly library that provides cryptographic recipes and primitives to Python developers. It supports both high-level recipes and low-level interfaces to common cryptographic algorithms.

Installation

To get started, you need to install the cryptography library. You can do this using pip:

pip install cryptography

Symmetric Encryption with Fernet

Symmetric encryption is a method where the same key is used for both encryption and decryption. The Fernet class in the cryptography library offers a simple interface for symmetric encryption.

Example: Encrypting and Decrypting Data

from cryptography.fernet import Fernet

# Generate a key
key = Fernet.generate_key()
cipher_suite = Fernet(key)

# Encrypt data
plaintext = b"Sensitive information"
ciphertext = cipher_suite.encrypt(plaintext)
print(f"Ciphertext: {ciphertext}")

# Decrypt data
decrypted_text = cipher_suite.decrypt(ciphertext)
print(f"Decrypted text: {decrypted_text.decode()}")

Key Management

Proper key management is crucial for maintaining the security of your application. Here are some best practices:

Store Keys Securely: Do not hard-code keys in your source code. Use environment variables or secure vaults (e.g., AWS Secrets Manager, HashiCorp Vault).
Rotate Keys Regularly: Implement a key rotation policy to minimize the risk of key compromise.
Use Strong Keys: Ensure keys are generated using a secure random number generator.

Hashing Passwords

Storing passwords in plain text is a significant security risk. Instead, use a strong hashing algorithm to securely store passwords. The cryptography library provides a way to hash passwords using PBKDF2 (Password-Based Key Derivation Function 2).

Example: Hashing and Verifying Passwords

from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
import os
import base64

# Function to hash a password
def hash_password(password: str) -> str:
    salt = os.urandom(16)  # Generate a random salt
    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=32,
        salt=salt,
        iterations=100000,
    )
    key = base64.urlsafe_b64encode(kdf.derive(password.encode()))
    return f"{salt.hex()}:{key.decode()}"

# Function to verify a password
def verify_password(stored_password: str, provided_password: str) -> bool:
    salt, key = stored_password.split(":")
    salt = bytes.fromhex(salt)
    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=32,
        salt=salt,
        iterations=100000,
    )
    new_key = base64.urlsafe_b64encode(kdf.derive(provided_password.encode()))
    return new_key.decode() == key

# Example usage
hashed_password = hash_password("my_secure_password")
print(f"Hashed Password: {hashed_password}")
is_valid = verify_password(hashed_password, "my_secure_password")
print(f"Password valid: {is_valid}")

Digital Signatures

Digital signatures provide a way to ensure the authenticity and integrity of a message. They can be used to verify that a message was created by a specific sender and has not been altered.

Example: Creating and Verifying Digital Signatures

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import hashes

# Generate a private key
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
)

# Generate the public key
public_key = private_key.public_key()

# Sign a message
message = b"This is a secret message."
signature = private_key.sign(
    message,
    padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()),
        salt_length=padding.PSS.MAX_LENGTH
    ),
    hashes.SHA256()
)

# Verify the signature
try:
    public_key.verify(
        signature,
        message,
        padding.PSS(
            mgf=padding.MGF1(hashes.SHA256()),
            salt_length=padding.PSS.MAX_LENGTH
        ),
        hashes.SHA256()
    )
    print("Signature is valid.")
except Exception as e:
    print("Signature verification failed:", e)

Summary of Best Practices

Best Practice	Description
Secure Key Storage	Use environment variables or secure vaults for key storage.
Regular Key Rotation	Implement policies to rotate keys periodically.
Strong Password Hashing	Use PBKDF2 with a unique salt for each password.
Digital Signatures	Utilize RSA for signing and verifying messages.
Avoid Hardcoding Secrets	Never hard-code sensitive information in your source code.

Conclusion

Implementing cryptography in Python applications is essential for securing sensitive data. By following best practices such as secure key management, password hashing, and using digital signatures, developers can significantly enhance the security posture of their applications.

Learn more with useful resources: