A data encryption & GDPR privacy-compliance tool. Encrypt sensitive records with AES-256-GCM envelope encryption (keys managed by AWS KMS or a local master key), control every decrypt through an access audit trail, generate a GDPR privacy policy from a form, and export a compliance report — all from a document-grade console.
Built with Python + Flask + Jinja2 + HTMX, the cryptography library, and a
"Redact" design system.
Stack: Python · Flask · Jinja2 · HTMX ·
cryptography(AES-256-GCM) · AWS KMS · SQLite · openpyxl Port:7700· Theme: Redact (light + dark) · Keys default: local master key (zero-config)
- Encrypt vault — store sensitive values envelope-encrypted at rest. Each record gets a unique AES-256 data key, wrapped by the key provider. Values are shown as redaction bars and only revealed (decrypted) on demand.
- Decrypt — audited — every reveal/decrypt is recorded in the audit trail (who, what, when, from where).
- Access audit log — a complete "who accessed what" trail across encrypt, decrypt, export, key rotation and configuration changes, filterable + CSV export.
- Privacy policy generator — produce a GDPR-aligned privacy policy from your organisation details (data categories, legal bases, retention, DPO, transfers), preview it, and download self-contained HTML.
- Key management — view the active provider (AWS KMS or local), rotate the master key (re-wraps every data key without ever exposing plaintext).
- Compliance dashboard — encryption coverage, data-classification breakdown, access activity, and a GDPR readiness score against a control checklist.
- Compliance report — export to Excel (xlsx) or a printable HTML report.
- Built-ins — collapsible numbered document-index sidebar (
[), light/dark theme, resizable table columns, hover-data charts, confirm modals, toasts.
- No AWS required — without
KMS_KEY_IDthe tool uses a local AES-256 master key (generated todata/.master-keyon first boot). Envelope encryption is identical; only the data-key wrapping differs. SetKMS_KEY_ID+AWS_REGIONto delegate wrapping to AWS KMS. - Seeds a demo workspace (an organisation, encrypted records across classifications, audit history and a generated policy) on first run.
python -m venv .venv
. .venv/Scripts/activate # Windows: .venv\Scripts\activate
pip install -r requirements.txt
python run.py # → http://localhost:7700Sign in with the demo passcode protect-the-data.
cp .env.example .env # set KMS_KEY_ID, AWS_REGION + AWS credentials
python run.py- A fresh AES-256 data key is generated for every record.
- The value is encrypted with AES-256-GCM using that data key.
- The data key is wrapped by the master key (AWS KMS or local) and stored beside the ciphertext.
- To decrypt, the provider unwraps the data key, the value is decrypted — and the access is written to the audit trail.
Rotating the master key re-wraps every data key; record contents are never decrypted during rotation.
PrivacySecure Encrypt/
├── run.py # entrypoint
├── app/
│ ├── __init__.py # app factory + nav + globals
│ ├── config.py · db.py · auth.py
│ ├── crypto/
│ │ ├── keys.py # LocalProvider / KMSProvider (data-key wrapping)
│ │ └── cipher.py # AES-256-GCM envelope encrypt/decrypt
│ ├── services/ # records · audit · policy · compliance · export
│ ├── blueprints/ # pages · auth · records · policy · audit · keys · compliance · settings
│ ├── seed.py
│ ├── templates/ # base + dashboard/vault/policy/audit/keys/compliance/settings + policy_doc + report
│ │ └── partials/ # icons · record_row · record_value · audit_rows · policy_preview · keys_status
│ └── static/ # css (Redact design system) · js · vendor (htmx, chart.js)
records— ciphertext, data nonce, wrapped data key, provider + key ref, classification, subject, retention. Plaintext is never stored.audit— append-only access trail.policies— generated privacy policies.settings— organisation profile.
| Method | Route | Description |
|---|---|---|
| GET/POST | /login · /logout |
passcode session |
| GET | / · /vault · /policy · /audit · /keys · /compliance · /settings |
pages |
| POST | /records/ · /records/<id>/reveal · /records/<id>/delete |
encrypt · decrypt · erase |
| POST | /policy/generate · GET /policy/<id>/download |
policy generator |
| GET | /audit/export.csv · /compliance/report.xlsx · /compliance/report.html |
exports |
| POST | /keys/rotate · /settings/save |
key rotation · org profile |
Apache License 2.0 — see LICENSE.