Skip to content

vugarfamiloglu/privacysecure-encrypt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PrivacySecure Encrypt

A data encryption & GDPR privacy-compliance tool. Encrypt sensitive records with AES-256-GCM envelope encryption (keys managed by AWS KMS or a local master key), control every decrypt through an access audit trail, generate a GDPR privacy policy from a form, and export a compliance report — all from a document-grade console.

Built with Python + Flask + Jinja2 + HTMX, the cryptography library, and a "Redact" design system.

Stack: Python · Flask · Jinja2 · HTMX · cryptography (AES-256-GCM) · AWS KMS · SQLite · openpyxl Port: 7700 · Theme: Redact (light + dark) · Keys default: local master key (zero-config)


Features

  • Encrypt vault — store sensitive values envelope-encrypted at rest. Each record gets a unique AES-256 data key, wrapped by the key provider. Values are shown as redaction bars and only revealed (decrypted) on demand.
  • Decrypt — audited — every reveal/decrypt is recorded in the audit trail (who, what, when, from where).
  • Access audit log — a complete "who accessed what" trail across encrypt, decrypt, export, key rotation and configuration changes, filterable + CSV export.
  • Privacy policy generator — produce a GDPR-aligned privacy policy from your organisation details (data categories, legal bases, retention, DPO, transfers), preview it, and download self-contained HTML.
  • Key management — view the active provider (AWS KMS or local), rotate the master key (re-wraps every data key without ever exposing plaintext).
  • Compliance dashboard — encryption coverage, data-classification breakdown, access activity, and a GDPR readiness score against a control checklist.
  • Compliance report — export to Excel (xlsx) or a printable HTML report.
  • Built-ins — collapsible numbered document-index sidebar ([), light/dark theme, resizable table columns, hover-data charts, confirm modals, toasts.

Runs with zero configuration

  • No AWS required — without KMS_KEY_ID the tool uses a local AES-256 master key (generated to data/.master-key on first boot). Envelope encryption is identical; only the data-key wrapping differs. Set KMS_KEY_ID + AWS_REGION to delegate wrapping to AWS KMS.
  • Seeds a demo workspace (an organisation, encrypted records across classifications, audit history and a generated policy) on first run.

Quick start

python -m venv .venv
. .venv/Scripts/activate            # Windows: .venv\Scripts\activate
pip install -r requirements.txt
python run.py                        # → http://localhost:7700

Sign in with the demo passcode protect-the-data.

With AWS KMS

cp .env.example .env                 # set KMS_KEY_ID, AWS_REGION + AWS credentials
python run.py

How envelope encryption works

  1. A fresh AES-256 data key is generated for every record.
  2. The value is encrypted with AES-256-GCM using that data key.
  3. The data key is wrapped by the master key (AWS KMS or local) and stored beside the ciphertext.
  4. To decrypt, the provider unwraps the data key, the value is decrypted — and the access is written to the audit trail.

Rotating the master key re-wraps every data key; record contents are never decrypted during rotation.


Project layout

PrivacySecure Encrypt/
├── run.py                     # entrypoint
├── app/
│   ├── __init__.py            # app factory + nav + globals
│   ├── config.py · db.py · auth.py
│   ├── crypto/
│   │   ├── keys.py            # LocalProvider / KMSProvider (data-key wrapping)
│   │   └── cipher.py          # AES-256-GCM envelope encrypt/decrypt
│   ├── services/              # records · audit · policy · compliance · export
│   ├── blueprints/            # pages · auth · records · policy · audit · keys · compliance · settings
│   ├── seed.py
│   ├── templates/             # base + dashboard/vault/policy/audit/keys/compliance/settings + policy_doc + report
│   │   └── partials/          # icons · record_row · record_value · audit_rows · policy_preview · keys_status
│   └── static/                # css (Redact design system) · js · vendor (htmx, chart.js)

Data model (SQLite)

  • records — ciphertext, data nonce, wrapped data key, provider + key ref, classification, subject, retention. Plaintext is never stored.
  • audit — append-only access trail.
  • policies — generated privacy policies. settings — organisation profile.

Routes

Method Route Description
GET/POST /login · /logout passcode session
GET / · /vault · /policy · /audit · /keys · /compliance · /settings pages
POST /records/ · /records/<id>/reveal · /records/<id>/delete encrypt · decrypt · erase
POST /policy/generate · GET /policy/<id>/download policy generator
GET /audit/export.csv · /compliance/report.xlsx · /compliance/report.html exports
POST /keys/rotate · /settings/save key rotation · org profile

License

Apache License 2.0 — see LICENSE.

About

Data encryption & GDPR privacy-compliance tool — AES-256-GCM envelope encryption (AWS KMS or local key), access audit trail, privacy-policy generator, compliance dashboard & reports. Python + Flask + HTMX.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors