Decrypting Data

To decrypt data, you must use the private key that corresponds to the public key used during encryption.

Fast File Encryption supports several decryption workflows: you can decrypt a file to memory, write decrypted content directly to another file, or use stream-based decryption for more advanced scenarios.

The example below shows how to decrypt a file and read its metadata:

>>> import fast_file_encryption as ffe
>>> from pathlib import Path
>>> encrypted_file = Path('encrypted_file.ffe')
>>> decryptor = ffe.Decryptor(ffe.read_private_key(Path('private.pem')))
>>> decryptor.load_decrypted(encrypted_file)
b'Hello world!'
>>> decryptor.read_metadata(encrypted_file)
{'my-meta': 1, 'file_path': '.../original_file.txt', ...}

class fast_file_encryption.Decryptor(private_key, verify_file_digest=False)

The Decryptor class provides all the core functionality required to decrypt files, data buffers, and streams.

Parameters:

• private_key (RSAPrivateKey) – The private RSA key used for decryption.

• verify_file_digest (bool) – Flag, if file digest verification shall be enabled. Default is False.

read_metadata(source)

Extract and return the metadata stored in an encrypted file without decrypting its contents.

Parameters:

source (pathlib.Path) – The encrypted file to inspect.

Returns:

A dictionary containing the file’s metadata.

Return type:

dict[str, Any]

load_decrypted(self, source, maximum_size=10_000_000)

Load and decrypt the entire content of a file into memory.

Parameters:

• source (pathlib.Path) – The encrypted input file.

• maximum_size (int) – Soft limit on the expected size of the decrypted data (in bytes). The actual decrypted size may exceed this limit by up to 127 bytes. Default is 10 MB.

Returns:

The decrypted file content.

Return type:

bytes

Raises:

• DataTooLargeError – If the decrypted data would exceed the allowed size.

• IntegrityError – If integrity validation fails.

copy_decrypted(self, source, destination)

Decrypt a file and write its plain content to a new file.

Parameters:

• source (pathlib.Path) – Path to the encrypted input file.

• destination (pathlib.Path) – Path to the output file where the decrypted data will be saved.

Raises:

IntegrityError – If integrity validation fails.

stream_decrypted(self, source_io, destination_io)

Decrypt data from a readable stream and write the decrypted content to a writable stream.

This method supports any file-like objects (e.g. io.BytesIO, sockets, or file handles). It uses only the read() method on the source and write() on the destination.

Parameters:

• source_io (io.BufferedIOBase) – An open stream supporting read().

• destination_io (io.BufferedIOBase) – An open stream supporting write().

Raises:

IntegrityError – If integrity validation fails.

About Errors →