Skip to content

fix: use openssl for key generation #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Inch-high merged 1 commit into from
Apr 1, 2026
Merged

fix: use openssl for key generation #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ Or follow: https://support.plex.tv/articles/204059436-finding-an-authentication-
### 2. Generate an encryption key

```bash
python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
openssl rand -base64 32
```

Save the output — you'll need it for the `ENCRYPTION_KEY` variable below.
Expand Down Expand Up @@ -65,7 +65,7 @@ docker compose up -d
|---|---|---|
| `PLEX_URL` | — | URL of your Plex server, e.g. `http://192.168.1.50:32400` |
| `PLEX_TOKEN` | — | Your Plex authentication token |
| `ENCRYPTION_KEY` | — | Fernet key for encrypting sensitive settings at rest (see above) |
| `ENCRYPTION_KEY` | — | Key for encrypting sensitive settings at rest (see above) |
| `PORT` | `7842` | Host port for the dashboard |
| `POLL_INTERVAL` | `30` | Seconds between Plex polls |
| `OUTLIER_THRESHOLD` | `0.10` | A country must account for <10% of sessions to be flagged |
Expand Down
9 changes: 6 additions & 3 deletions app/crypto.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
meaning encrypted settings will become unreadable after a container restart).
"""
import os
import base64
import hashlib
import logging
from cryptography.fernet import Fernet

Expand All @@ -21,14 +23,15 @@ def _get_key() -> bytes:

env_key = os.environ.get("ENCRYPTION_KEY", "").strip()
if env_key:
_key = env_key.encode()
# Derive a valid 32-byte Fernet key from any input string (e.g. openssl rand -base64 32)
raw = hashlib.sha256(env_key.encode()).digest()
_key = base64.urlsafe_b64encode(raw)
else:
_key = Fernet.generate_key()
logger.warning(
"ENCRYPTION_KEY not set — using an ephemeral key. "
"Encrypted settings will be LOST on restart. "
"Generate a permanent key with: "
'python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"'
"Generate a permanent key with: openssl rand -base64 32"
)
return _key

Expand Down
2 changes: 1 addition & 1 deletion docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ services:
- POLL_INTERVAL=${POLL_INTERVAL:-30}
- OUTLIER_THRESHOLD=${OUTLIER_THRESHOLD:-0.10}
- OUTLIER_MIN_SESSIONS=${OUTLIER_MIN_SESSIONS:-5}
# Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
# Generate with: openssl rand -base64 32
- ENCRYPTION_KEY=${ENCRYPTION_KEY}
volumes:
- plexgeo_data:/data
Expand Down
Loading