nacl.public

class Box(private_key, public_key)[source]

The Box class boxes and unboxes messages between a pair of keys

The ciphertexts generated by Box include a 16 byte authenticator which is checked as part of the decryption. An invalid authenticator will cause the decrypt function to raise an exception. The authenticator is not a signature. Once you’ve decrypted the message you’ve demonstrated the ability to create arbitrary valid message, so messages you send are repudiable. For non-repudiable messages, sign them after encryption.

Parameters:
  • private_keyPrivateKey used to encrypt and decrypt messages
  • public_keyPublicKey used to encrypt and decrypt messages
Variables:

NONCE_SIZE – The size that the nonce is required to be.
decrypt(ciphertext, nonce=None, encoder=<class 'nacl.encoding.RawEncoder'>)[source]

Decrypts the ciphertext using the nonce (explicitly, when passed as a parameter or implicitly, when omitted, as part of the ciphertext) and returns the plaintext message.

Parameters:
  • ciphertext – [bytes] The encrypted message to decrypt
  • nonce – [bytes] The nonce used when encrypting the ciphertext
  • encoder – The encoder used to decode the ciphertext.
Return type:

[bytes]
encrypt(plaintext, nonce=None, encoder=<class 'nacl.encoding.RawEncoder'>)[source]

Encrypts the plaintext message using the given nonce (or generates one randomly if omitted) and returns the ciphertext encoded with the encoder.

Warning

It is VITALLY important that the nonce is a nonce, i.e. it is a number used only once for any given key. If you fail to do this, you compromise the privacy of the messages encrypted.

Parameters:
  • plaintext – [bytes] The plaintext message to encrypt
  • nonce – [bytes] The nonce to use in the encryption
  • encoder – The encoder to use to encode the ciphertext
Return type:

[nacl.utils.EncryptedMessage]
shared_key()[source]

Returns the Curve25519 shared secret, that can then be used as a key in other symmetric ciphers.

Warning

It is VITALLY important that you use a nonce with your symmetric cipher. If you fail to do this, you compromise the privacy of the messages encrypted. Ensure that the key length of your cipher is 32 bytes.

Return type:[bytes]
class PrivateKey(private_key, encoder=<class 'nacl.encoding.RawEncoder'>)[source]

Private key for decrypting messages using the Curve25519 algorithm.

Warning

This must be protected and remain secret. Anyone who knows the value of your PrivateKey can decrypt any message encrypted by the corresponding PublicKey

Parameters:
  • private_key – The private key used to decrypt messages
  • encoder – The encoder class used to decode the given keys
Variables:
  • SIZE – The size that the private key is required to be
  • SEED_SIZE – The size that the seed used to generate the private key is required to be
classmethod from_seed(seed, encoder=<class 'nacl.encoding.RawEncoder'>)[source]

Generate a PrivateKey using a deterministic construction starting from a caller-provided seed

Warning

The seed must be high-entropy; therefore, its generator must be a cryptographic quality random function like, for example, random().

Warning

The seed must be protected and remain secret. Anyone who knows the seed is really in possession of the corresponding PrivateKey.

Parameters:seed – The seed used to generate the private key
Return type:PrivateKey
classmethod generate()[source]

Generates a random PrivateKey object

Return type:PrivateKey
class PublicKey(public_key, encoder=<class 'nacl.encoding.RawEncoder'>)[source]

The public key counterpart to an Curve25519 nacl.public.PrivateKey for encrypting messages.

Parameters:
  • public_key – [bytes] Encoded Curve25519 public key
  • encoder – A class that is able to decode the public_key
Variables:

SIZE – The size that the public key is required to be
class SealedBox(recipient_key)[source]

The SealedBox class boxes and unboxes messages addressed to a specified key-pair by using ephemeral sender’s keypairs, whose private part will be discarded just after encrypting a single plaintext message.

The ciphertexts generated by SecretBox include the public part of the ephemeral key before the Box ciphertext.

Parameters:
  • public_keyPublicKey used to encrypt messages and derive nonces
  • private_keyPrivateKey used to decrypt messages

New in version 1.2.

decrypt(ciphertext, encoder=<class 'nacl.encoding.RawEncoder'>)[source]

Decrypts the ciphertext using the ephemeral public key enclosed in the ciphertext and the SealedBox private key, returning the plaintext message.

Parameters:
  • ciphertext – [bytes] The encrypted message to decrypt
  • encoder – The encoder used to decode the ciphertext.
Return bytes:

The original plaintext
encrypt(plaintext, encoder=<class 'nacl.encoding.RawEncoder'>)[source]

Encrypts the plaintext message using a random-generated ephemeral keypair and returns a “composed ciphertext”, containing both the public part of the keypair and the ciphertext proper, encoded with the encoder.

The private part of the ephemeral key-pair will be scrubbed before returning the ciphertext, therefore, the sender will not be able to decrypt the generated ciphertext.

Parameters:
  • plaintext – [bytes] The plaintext message to encrypt
  • encoder – The encoder to use to encode the ciphertext
Return bytes:

encoded ciphertext