diff options
| -rw-r--r-- | docs/fernet.rst | 7 | ||||
| -rw-r--r-- | docs/hazmat/primitives/symmetric-encryption.rst | 3 |
2 files changed, 10 insertions, 0 deletions
diff --git a/docs/fernet.rst b/docs/fernet.rst index 0c1eb43d..65f70cf4 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -163,6 +163,13 @@ Specifically it uses: For complete details consult the `specification`_. +Limitations +----------- + +Fernet is ideal for encrypting data that easily fits in memory. As a design +feature it does not expose unauthenticated bytes. Unfortunately, this makes it +generally unsuitable for very large files at this time. + .. _`Fernet`: https://github.com/fernet/spec/ .. _`specification`: https://github.com/fernet/spec/blob/master/Spec.md diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index e99c2c0a..8b047b8c 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -16,6 +16,9 @@ decrypt them. For this reason it is **strongly** recommended to combine encryption with a message authentication code, such as :doc:`HMAC </hazmat/primitives/mac/hmac>`, in an "encrypt-then-MAC" formulation as `described by Colin Percival`_. +``cryptography`` includes a recipe named :doc:`/fernet` that does this for you. +**To minimize the risk of security issues you should evaluate Fernet to see if +it fits your needs before implementing anything using this module.** .. class:: Cipher(algorithm, mode, backend) |