26 Data Encryption

Prompt: If I have a sensitive data, such as Hospital Number (HN), how to encrypt it in some text string and able to retrieve back as needed with permission?

To securely encrypt and decrypt sensitive data like a Hospital Number (HN), you can use symmetric encryption with a strong encryption algorithm, such as AES (Advanced Encryption Standard). Symmetric encryption uses the same key for both encryption and decryption, so you’ll need to ensure that the key is securely managed and only accessible with the proper permissions.

Here’s a step-by-step guide to encrypt and decrypt sensitive data like a Hospital Number (HN):

26.1 Example Code:

26.1.1 Step 1: Generate a key

(Do this once and store the key securely, like in an environment variable)

from cryptography.fernet import Fernet

# Step 1: Generate a key (Do this once and store the key securely, like in an environment variable)
# Key generation
key = Fernet.generate_key()
cipher_suite = Fernet(key)

print(f"key = {key}")
print(f"Encryption Key: {key.decode()}")

key = b'spKxRxkEA7yNMBYlQ64Xr_4rhO14zcxO1ct_rp6Wd4U='
Encryption Key: spKxRxkEA7yNMBYlQ64Xr_4rhO14zcxO1ct_rp6Wd4U=

26.1.2 Step 2: Encrypt the Hospital Number (HN)

def encrypt_hn(hospital_number: str, cipher_suite: Fernet) -> str:
    encrypted_data = cipher_suite.encrypt(hospital_number.encode())
    return encrypted_data.decode()

26.1.3 Step 3: Decrypt the encrypted HN

def decrypt_hn(encrypted_hn: str, cipher_suite: Fernet) -> str:
    decrypted_data = cipher_suite.decrypt(encrypted_hn.encode())
    return decrypted_data.decode()

26.1.4 Example Usage

hospital_number = "123456"

# Encrypt the HN
encrypted_hn = encrypt_hn(hospital_number, cipher_suite)
print(f"Encrypted Hospital Number: {encrypted_hn}")

# Decrypt the HN (with the correct key)
decrypted_hn = decrypt_hn(encrypted_hn, cipher_suite)
print(f"Decrypted Hospital Number: {decrypted_hn}")

Encrypted Hospital Number: gAAAAABm6acDyFNejwXCCX4ikMOT-IdCTlKfPOww6t0cyPb03UAtpuEH2Um3duDWYd2JKSwlfg86yFIaHmXAof5NQiiGSLHQGw==
Decrypted Hospital Number: 123456

26.1.5 How It Works:

Key Generation:
- The Fernet.generate_key() function generates a random key that is used to encrypt and decrypt the data. This key must be securely stored because it is required for decryption.
You should store this key in a secure location like an environment variable, a hardware security module (HSM), or a secure vault.
Encryption:
- The encrypt_hn() function takes the hospital number, encodes it as bytes, and uses the Fernet cipher suite to encrypt it.
- The encrypted data is returned as a base64-encoded string.
Decryption:
- The decrypt_hn() function takes the encrypted string, decodes it, and decrypts it using the same Fernet cipher suite and key.

26.1.6 Important Considerations:

Key Security: The encryption key is crucial to the security of the data. Ensure that the key is stored in a secure location, like an environment variable or a secure secrets manager (e.g., AWS Secrets Manager, Azure Key Vault).
Permission Control: Only authorized users or processes should have access to the encryption key. You can implement role-based access control (RBAC) to restrict key access to authorized personnel.
Key Rotation: It’s a good security practice to rotate encryption keys periodically. Make sure to securely rotate the key and re-encrypt the data as needed.
Environment Variables: In production, avoid hardcoding the key in the code. Instead, load it from an environment variable:

import os
key = os.getenv('ENCRYPTION_KEY').encode()
cipher_suite = Fernet(key)

26.1.7 Storing the Key Securely:

Local Development: Use environment variables (os.getenv()).
Production: Use a secrets manager (AWS Secrets Manager, Google Secret Manager, Azure Key Vault, etc.).

26.1.8 Summary:

Encrypt sensitive data like a hospital number using a symmetric encryption algorithm (AES via the Fernet cipher).
Store the key securely and ensure only authorized entities can access it.
Decrypt the data when necessary with the proper permissions and access control.