TOMToolkit
diff --git a/‎docs/customization/encrypted_model_fields.rst‎
Lines changed: 81 additions & 87 deletions b/‎docs/customization/encrypted_model_fields.rst‎
Lines changed: 81 additions & 87 deletions
diff --git a/‎docs/deployment/encryption.rst‎
Lines changed: 122 additions & 0 deletions b/‎docs/deployment/encryption.rst‎
Lines changed: 122 additions & 0 deletions
diff --git a/‎docs/deployment/index.rst‎
Lines changed: 4 additions & 1 deletion b/‎docs/deployment/index.rst‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎tom_base/settings.py‎
Lines changed: 4 additions & 7 deletions b/‎tom_base/settings.py‎
Lines changed: 4 additions & 7 deletions
@@ -1,108 +1,102 @@
 Encrypted Model Fields
 ======================
 
-If your ``custom_code`` or reusable app contains a Model field storing user-specific
-sensitive data, then you may want to encrypt that data.
+If your ``custom_code`` or reusable app contains a model field storing
+user-specific sensitive data, you may want to encrypt that data at rest.
+
+Examples of user-specific sensitive data include passwords or API keys
+for external services that your TOM uses on the user's behalf. TOM
+Toolkit's Facility modules, for example, use the mechanism described
+here to store user-specific external-service credentials in a user
+profile model. Real examples live in
+`tom_eso <https://github.com/TOMToolkit/tom_eso>`__ and
+`tom_swift <https://github.com/TOMToolkit/tom_swift>`__.
+
+How encryption works
+--------------------
+
+Encrypted fields are protected by a single Fernet cipher derived from
+``settings.SECRET_KEY`` using HKDF (RFC 5869) with a domain-separator
+label. There is no per-user key material and no additional environment
+variable to manage. For the operator-side concerns (rotating
+``SECRET_KEY`` without losing data, etc.) see
+:doc:`/deployment/encryption`.
+
+.. note::
+
+   Encryption protects data from passive database exposure. It does NOT
+   protect against a server administrator with access to ``SECRET_KEY``
+   — by design, since the same admin needs to be able to run the
+   ``rotate_encryption_key`` command. If you need user-level isolation
+   from administrators, the toolkit's current scheme is not sufficient.
+
+Adding an encrypted field to a model
+------------------------------------
+
+Two pieces are needed on the model: a ``BinaryField`` for the
+ciphertext, and an :class:`EncryptedProperty` descriptor that handles
+encryption on write and decryption on read.
 
-Examples of user-specific sensitive
-data include a password or API key for an external service that your TOM uses.
-For example, TOMToolkit Facility modules can use the mechanism described here to store,
-encrypted, user-specific credentials in a user profile model. Examples include the
-`tom_eso <https://github.com/TOMToolkit/tom_eso>`__ and the
-`tom_swift <https://github.com/TOMToolkit/tom_swift>`__ facility modules.
-
-As we explain below, TOMToolkit provides a *mix-in* class, a *property descriptor*, and
-utility functions to help encrypt user-specific sensitive data and access it when it's needed.
-
-.. note:: For sensitive data that is used by the TOM itself and is not user-specific,
-    we suggest that this data be stored outside the TOM and accessed through
-    environment variables.
-
-Creating and accessing an encrypted Model field
------------------------------------------------
+.. code-block:: python
 
-Creating an encrypted Model field
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    from django.conf import settings
+    from django.db import models
+    from tom_common.models import EncryptedProperty
 
-If your Model has a field that should be encrypted, follow these steps:
 
-1. Import the mix-in class and property descriptor in your ``models.py``:
+    class MyAppProfile(models.Model):
+        user = models.OneToOneField(settings.AUTH_USER_MODEL,
+                                    on_delete=models.CASCADE)
+        _api_key_encrypted = models.BinaryField(null=True, blank=True)  # ciphertext (private)
+        api_key = EncryptedProperty('_api_key_encrypted')               # descriptor (public)
 
-.. code-block:: python
+By convention, the ``BinaryField``'s name starts with an underscore —
+its only consumer is the :class:`EncryptedProperty` descriptor; plugin
+code should never read or write it directly.
 
-    from tom_common.models import EncryptableModelMixin, EncryptedProperty
+Reading and writing the field
+-----------------------------
 
-2. Make your Model subclass a subclass of ``EcryptableModelMixin``. For example:
+Plain Python attribute access on the descriptor handles everything:
 
 .. code-block:: python
 
-    class MyAppModel(EncryptableModelMixin, models.Model):
-        ...
+    profile.api_key = 'something-secret'
+    profile.save()
 
-This gives your model access to a set of methods that will manage the encryption and
-decryption of your data into and out of the ``BinaryField`` that stores the encrypted data.
+    # later, possibly in a different process / request:
+    value = profile.api_key   # 'something-secret'
 
-3. Add the ``BinaryField`` that will store the encrypted data and the property descriptor
-through which the ``BinaryField`` will be accessed.
+On assignment, the descriptor calls
+:func:`tom_common.encryption.encrypt`, which builds a Fernet cipher
+from ``settings.SECRET_KEY`` and encrypts the value, then stores the
+ciphertext bytes in the underlying ``BinaryField``. On read, the
+descriptor calls :func:`tom_common.encryption.decrypt`, which
+transparently honours ``settings.SECRET_KEY_FALLBACKS`` (see
+:doc:`/deployment/encryption` for the rotation procedure).
 
-.. code-block:: python
+An empty string assignment clears the ciphertext (stores ``None`` in
+the ``BinaryField``). Reading an unset / empty field yields ``''``,
+not ``None`` — so consumers don't need to special-case the empty case.
 
-    _ciphertext_api_key = BinaryField(null=True, blank=True)  # encrypted data field (private)
-    api_key = EncryptedProperty('_ciphertext_api_key')  # descriptor that provides access (public)
+Some explanations
+-----------------
 
-By convention name of the ``BinaryField`` field should begin with and underscore
-(``_ciphertext_api_key`` in our example) because is it private to the Model class.
+:class:`EncryptedProperty` (`source <https://github.com/TOMToolkit/tom_base/blob/dev/tom_common/models.py>`__)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Accessing encrypted data
-~~~~~~~~~~~~~~~~~~~~~~~~
-The following example shows how to get and set an encrypted field using the utility
-methods provided in ``tom_common.session_utils.py``:
+A *property descriptor* implementing the Python descriptor protocol
+(``__get__``, ``__set__``, ``__set_name__``). It handles the details of
+decrypting the ciphertext ``BinaryField`` on its way out of the
+database and encrypting it on the way in. It is invoked whenever the
+property is accessed (e.g. ``profile.api_key`` reads;
+``profile.api_key = 'x'`` writes).
 
-.. code-block:: python
-
-    from tom_common.session_utils import get_encrypted_field, set_encrypted_field
-    from tom_app_example.models import MyAppModel
-    
-    profile: MyAppModel = user.myappmodel  # Model instance containing an encrypted field
-    
-    # getter example
-    decrypted_api_key: str = get_encrypted_field(user, profile, 'api_key')
-    
-    # setter example
-    new_api_key: str = 'something_secret'
-    set_encrypted_field(user, profile, 'api_key', new_api_key)
-
-Note here that the User instance (``user``) is used to access the ``EncryptableModelMixin``
-subclass and its encrypted data. The ``user`` property of the Model subclass containing the
-encrypted field (``MyAppModel`` in our example) is provided by the ``EncryptableModelMixin``.
-As such, the model *should not define a* ``user`` *property of its own*.
-
-Some Explanations
------------------
+The descriptor reads the cipher from
+:func:`tom_common.encryption._get_cipher` on every access, so changes
+to ``settings.SECRET_KEY`` (via ``override_settings`` in tests, or a
+deployment-level rotation) take effect immediately on the next read.
 
-EncryptableModelMixin
-~~~~~~~~~~~~~~~~~~~~~
-An abstract Django model mixin that provides a standardized ``user`` OneToOneField.
-Any model that stores encrypted data via ``EncryptedProperty`` should inherit from
-this mixin. The ``user`` field ties encrypted data to its owner, allowing the
-helper functions in ``session_utils`` to look up the user's Data Encryption Key
-(DEK) and build the cipher needed for encryption and decryption.
-
-EncryptedProperty (`source <https://github.com/TOMToolkit/tom_base/blob/069024f954e5540c1441c5186378de538f7d606f/tom_common/models.py#L39>`__)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-A *property descriptor* implements the Python descriptor protocol (``__get__``,
-``__set__``, etc). The ``EncryptedProperty`` property descriptor handles the details
-of decrypting the encrypted ``BinaryField`` on its way out of the database and
-encrypting it on the way in. It is invoked when the property is accessed
-(e.g. ``model_instance.api_key``).
-
-Session Utils (`example <https://github.com/TOMToolkit/tom_eso/blob/b74fe3b951ead6f6f332594724731d036944da47/tom_eso/eso.py#L209>`__)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-The ``get_encrypted_field`` and ``set_encrypted_field`` functions implement
-boilerplate code for creating and destroying the cipher used to encrypt and
-decrypt the ``BinaryField``. *These methods must always be used to access any
-encrypted field*.
-
-
-The rest of the details are in the source code. If reading source code isn't your thing,
-please do feel free to get in touch and we'll be happy to answer any questions you may have.
+The rest of the details are in the source. If reading source isn't
+your thing, feel free to get in touch and we'll be happy to answer
+questions.
@@ -0,0 +1,122 @@
+Encryption at Rest and the SECRET_KEY
+=====================================
+
+TOM Toolkit encrypts sensitive user data at rest (API keys, observatory
+credentials, anything declared with :class:`EncryptedProperty`) using a
+single Fernet cipher derived from Django's ``settings.SECRET_KEY``.
+There is no additional environment variable to manage — your
+``SECRET_KEY`` is both your signing key (cookies, password-reset
+tokens, etc.) and the source of your encryption key.
+
+The derivation uses HKDF (RFC 5869) with a domain-separator label, so
+the encryption key is cryptographically independent of the way Django
+uses ``SECRET_KEY`` for HMAC signing. See
+:mod:`tom_common.encryption` for the implementation; for the plugin-
+developer-facing API see :doc:`/customization/encrypted_model_fields`.
+
+Treat ``SECRET_KEY`` like an encryption key
+-------------------------------------------
+
+If you lose ``SECRET_KEY`` (and any active
+``SECRET_KEY_FALLBACKS`` entries), every encrypted field becomes
+unrecoverable. Keep ``SECRET_KEY`` secret, never commit it, and back
+it up through whatever channel your other production secrets travel.
+
+The standard Django guidance applies — see the
+`Django deployment checklist
+<https://docs.djangoproject.com/en/stable/howto/deployment/checklist/>`_
+and the
+`SECRET_KEY documentation
+<https://docs.djangoproject.com/en/stable/ref/settings/#secret-key>`_.
+
+.. warning::
+
+   Rotating ``SECRET_KEY`` without first running the rotation procedure
+   below will leave every previously-encrypted field unreadable. Follow
+   the procedure exactly — don't just edit ``SECRET_KEY`` in your env.
+
+Graceful ``SECRET_KEY`` rotation
+--------------------------------
+
+We use Django's built-in
+`SECRET_KEY_FALLBACKS <https://docs.djangoproject.com/en/stable/ref/settings/#secret-key-fallbacks>`_
+mechanism to rotate keys without an outage and without data loss. The
+encryption module's ``decrypt()`` tries the primary derived key first
+and then a derived key for each ``SECRET_KEY_FALLBACKS`` entry; the
+``encrypt()`` path always uses the primary. So once a new
+``SECRET_KEY`` is in place with the old key in fallbacks, *reads of
+existing encrypted data continue to work*, and *new writes use the new
+key*.
+
+Scaffolded TOMs already include ``SECRET_KEY_FALLBACKS = []`` in their
+``settings.py`` (added by ``tom_setup``); if your TOM predates that
+template change, just add the line yourself.
+
+The end-to-end procedure:
+
+1. **Stage the old key as a fallback** and install a new
+   ``SECRET_KEY``. In ``settings.py``, move the existing
+   ``SECRET_KEY`` value into ``SECRET_KEY_FALLBACKS`` and set
+   ``SECRET_KEY`` to the new value::
+
+       SECRET_KEY = '<new key>'
+       SECRET_KEY_FALLBACKS = ['<previously-current key>']
+
+   (Or via env vars, whatever pattern your deployment uses.)
+
+2. **Restart the server.** All existing encrypted data is still
+   readable (via the fallback). All new writes — including any
+   re-encryption — use the new primary key. Django's HMAC signing
+   machinery also honours the fallback, so existing signed cookies
+   and password-reset tokens stay valid.
+
+3. **Re-encrypt existing data forward** so it no longer depends on the
+   fallback::
+
+       python manage.py rotate_encryption_key
+
+   The command walks every :class:`EncryptedProperty` field across
+   ``INSTALLED_APPS``, decrypts each value (transparently using either
+   the primary or a fallback), and re-encrypts under the primary. After
+   this, no value in the database requires the fallback to decrypt.
+
+4. **Remove the fallback** from ``settings.py``::
+
+       SECRET_KEY = '<new key>'
+       SECRET_KEY_FALLBACKS = []
+
+   Restart. You're now fully on the new key.
+
+If anything goes wrong between steps 1 and 3, simply leave the fallback
+in place — the system stays functional indefinitely with both keys
+active. ``rotate_encryption_key`` is idempotent: running it again is
+always safe.
+
+If the command reports per-row failures, those rows were encrypted under
+a key that is no longer in ``SECRET_KEY`` ∪ ``SECRET_KEY_FALLBACKS``
+(i.e., that key has been forgotten). Add it back if you can; otherwise
+the data on those rows is lost.
+
+What if ``SECRET_KEY`` is lost?
+-------------------------------
+
+If you lose ``SECRET_KEY`` and have no backup:
+
+- Every :class:`EncryptedProperty` value (saved API keys, observatory
+  credentials) becomes unrecoverable. The ciphertext is still in the
+  database; the key needed to decrypt it is gone.
+- All Django signing-dependent state also breaks: outstanding password-
+  reset tokens, signed URLs, persistent session cookies. Users will
+  need to log in again and possibly re-enter any saved secrets.
+
+Treat ``SECRET_KEY`` backup with the same seriousness as your database
+backup.
+
+See also
+--------
+
+- :doc:`/customization/encrypted_model_fields` — how plugin authors
+  declare and use encrypted fields.
+- `Django deployment checklist
+  <https://docs.djangoproject.com/en/stable/howto/deployment/checklist/>`_
+  — the broader hardening you should do before going live.
@@ -8,6 +8,7 @@ Deploying your TOM Online
   deployment_tips
   deployment_heroku
   amazons3
+  encryption
 
 Once you’ve got a TOM up and running on your machine, you’ll probably want to deploy it somewhere so it is permanently
 accessible by you and your colleagues.
@@ -16,4 +17,6 @@ accessible by you and your colleagues.
 
 :doc:`Deploy to Heroku <deployment_heroku>` - Heroku is a PaaS that allows you to publicly deploy your web applications without the need for managing the infrastructure yourself.
 
-:doc:`Using Amazon S3 to Store Data for a TOM <amazons3>` - Enable storing data on the cloud storage service Amazon S3 instead of your local disk.
+:doc:`Using Amazon S3 to Store Data for a TOM <amazons3>` - Enable storing data on the cloud storage service Amazon S3 instead of your local disk.
+
+:doc:`Configuring the Master Encryption Key <encryption>` - How to set ``TOMTOOLKIT_DEK_ENCRYPTION_KEY`` across deploy environments and migrate off the public default.
@@ -28,16 +28,13 @@
 # SECURITY WARNING: keep the secret key used in production secret!
 SECRET_KEY = os.getenv('SECRET_KEY', 'testkey')
 
+# Old SECRET_KEY values to keep accepting during a graceful rotation. See
+# docs/deployment/encryption.rst.
+SECRET_KEY_FALLBACKS = []
+
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
-# Encryption key for protecting sensitive user data (API keys, credentials) at rest.
-# This is a Fernet key — a 44-character URL-safe base64 string encoding 32 random bytes.
-# Treat this like SECRET_KEY. See the TOM Toolkit encryption documentation.
-TOMTOOLKIT_DEK_ENCRYPTION_KEY = os.getenv(
-    'TOMTOOLKIT_DEK_ENCRYPTION_KEY',
-    'UlUYyKsGzQVwjpTbvhtgCihKaj07H1voc-V4pmb7NN4=')  # 44-char URL-safe base64 string
-
 ALLOWED_HOSTS = ['']
 
 # Application definition