def sg_decrypt_from_priv_seed(to_decrypt, private_seed_hex):
'''
For use with a private seed on your local server.
WARNING: placing the private seed on your local server defeats the whole
purpose of rate limiting. If an attacker has access to your encrypted
database and gets access to this seed on your server, they can easily
decrypt the whole database. Only use this method if you know what you're
doing. It's main purpose is recovery in case SecondGuard is down.
'''
prefix, encoding, seed_and_nonce_str, b64_iv_and_ciphertext = to_decrypt.split('$')
seed_pub_hash_hex, nonce = seed_and_nonce_str.split('@')
valid_pair = is_seed_hash_pair(
private_seed_hex=private_seed_hex,
seed_public_hash_hex=seed_pub_hash_hex,
)
if not valid_pair:
err_msg = seed_pub_hash_hex
err_msg += ' is not a valid private seed for the data you are trying to decrypt.'
raise Exception(err_msg)
unique_key = derive_child_key(
private_seed_hex=private_seed_hex,
nonce=nonce,
)
b64_text_to_decrypt = '$'.join(
(
prefix,
encoding,
# no seed_and_nonce_str
b64_iv_and_ciphertext,
)
)
return decrypt(
b64_text_to_decrypt=b64_text_to_decrypt,
key=unique_key[:KEY_LENGTH_IN_BYTES],
)
def test_derive_child_key(self):
child_key = derive_child_key(
private_seed_hex=self.priv_seed_hex,
nonce=self.some_nonce,
)
assert self.child_key == child_key