cape_encrypt.cape_encrypt module#

Cape Encrypt functionality for use within functions deployed to run in a Cape Enclave.

This provides the ability to be able to encrypt or decrypt information solely within a Cape Enclave using the Cape Key associated with the function owner. Functions can then encrypt data generated during the execution of the function or have fine grained control over decrypting inputs.

exception cape_encrypt.cape_encrypt.ConnectionError[source]#

Bases: Exception

An issue arose in the communication with the server.

exception cape_encrypt.cape_encrypt.ExecutionError[source]#

Bases: Exception

Server reports an error.

cape_encrypt.cape_encrypt.decrypt(ciphertext)[source]#

Decrypt a plaintext with a Cape Key within a Cape Enclave.

This function is intended only for use within a function deployed in a Cape Enclave. This function utilizes the Cape Key associated to the function’s owner to decrypt previously Cape Encrypted input.

Parameters:

b64ciphertext – Base64 encoded bytes of a previously Cape Encrypted plaintext, prefixed with b"cape:"

Return type:

bytes

Returns:

Bytes represeting the plaintext result of the decrypted ciphertext

Raises:
  • TypeError – if the input is not of the correct type

  • ValueError – if the input is formatted incorrectly or empty

  • ConnectionError – if an error is thrown from the socket connection

  • ExecutionError – if a server error is reported during the remote encryption process

cape_encrypt.cape_encrypt.encrypt(plaintext)[source]#

Encrypt a plaintext with a Cape Key within a Cape Enclave.

This function is intended only for use within a function deployed in a Cape Enclave. It uses envelope encryption. The plaintext is first AES-encrypted with anephemeral AES key, and then this key is itself encrypted with the Cape Key associated with the Cape account that owns the function.

Parameters:

plaintext (bytes) – bytes to encrypt.

Return type:

bytes

Returns:

Bytes representing the base64 encoded encryption of the plaintext. The bytes are a concatenation of the AES-ciphertext of the plaintext, an AES nonce, and the RSA-ciphertext of the AES key prefixed by b"cape:"

Raises:
  • TypeError – if the input is not of the correct type

  • ValueError – if the input is empty

  • ConnectionError – if an error is thrown from the socket connection

  • ExecutionError – if a server error is reported during the remote encryption process