Skill

implementing-aes-encryption-for-data-at-rest

Implements AES-256-GCM encryption/decryption for files and directories in Python using cryptography lib, with PBKDF2/Argon2 key derivation and secure nonce management.

Python

security

backend

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM mode for encrypting files and data stores at rest, including proper key derivation, IV/nonce management, and authenticated encryption.

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Implementing AES Encryption for Data at Rest

Overview

When to Use

When deploying or configuring implementing aes encryption for data at rest capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Familiarity with cryptography concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Implement AES-256-GCM encryption and decryption for files
Derive encryption keys from passwords using PBKDF2 and Argon2
Manage initialization vectors (IVs) and nonces securely
Encrypt and decrypt entire directory trees
Implement authenticated encryption to detect tampering
Handle large files with streaming encryption

Key Concepts

AES Modes of Operation

Mode	Authentication	Parallelizable	Use Case
GCM	Yes (AEAD)	Yes	Network data, file encryption
CBC	No	Decrypt only	Legacy systems, disk encryption
CTR	No	Yes	Streaming encryption
CCM	Yes (AEAD)	No	IoT, constrained environments

Key Derivation

Never use raw passwords as encryption keys. Always derive keys using:

PBKDF2: NIST-approved, widely supported (minimum 600,000 iterations as of 2024)
Argon2id: Winner of Password Hashing Competition, memory-hard
scrypt: Memory-hard, good alternative to Argon2

Nonce/IV Management

GCM requires a 96-bit (12-byte) nonce that must NEVER be reused with the same key
Generate nonces using os.urandom() (CSPRNG)
Store nonce alongside ciphertext (it is not secret)

Workflow

Install the cryptography library: pip install cryptography
Generate or derive an encryption key
Create a random nonce for each encryption operation
Encrypt data using AES-256-GCM with the key and nonce
Store nonce + ciphertext + authentication tag together
For decryption, extract nonce, verify tag, and decrypt

Encrypted File Format

[salt: 16 bytes][nonce: 12 bytes][ciphertext: variable][tag: 16 bytes]

Security Considerations

Always use authenticated encryption (GCM, CCM) to prevent tampering
Never reuse a nonce with the same key (catastrophic in GCM)
Use at least 256-bit keys for long-term data protection
Securely wipe keys from memory after use when possible
Rotate encryption keys periodically per organizational policy
For disk-level encryption, consider XTS mode (AES-XTS)

Validation Criteria

AES-256-GCM encryption produces valid ciphertext
Decryption recovers original plaintext exactly
Authentication tag detects any ciphertext modification
Key derivation uses sufficient iterations/parameters
Nonces are never reused for the same key
Large files (>1GB) can be processed via streaming
Encrypted file format includes all necessary metadata