Ask coding questions

← Back to all posts
Anyone got a good method for encrypted save files?
Alois (13)

(kinda a repost btw :/)
Hey guys!

I've been trying to make a program called micropy (originally from another device, but recreating it completely) that has many mini features and sports a similar idea as bash or a command line.

It's mostly made for fun, so i'm incorporating games, accounts (client side), and more!

What I need is to create a save file for my program, that people can just do something like 'save' and save their progress and settings/passwords.

The issue i'm having is that I want these saves to be encrypted, and have it so that people can just look into a txt file and change their points in a game to be 1000000, or find the password and change it completely.

I looked into the .env file, and tried using it to create a key to encrypt my save files, and then decrypt them when being imported or used. The reason I used .env files is because they can't be seen by other people, unlike the code of the program. I made a simple system for encrypting values, so I signed out and tested it out without being on my account.

I noticed the following:
1) As expected, I couldn't access the .env file.
2) When (not having forked it) it printed a value from the .env file, it worked on my account, but not on this one (giving me an output of 'None').
3) The program was identical to mine and completely saved.

I'm starting to suspect my stupidity is rolling in, but is there a way I can reliably create a saving mechanism without other people easily being able to break them? (some sort of encryption)

This is hard due to the fact that i've been working on using .env files and made a whole system for it, and until now I didn't realise it wouldn't work.

To sum this up (cuz i know it's super long):

I need to create a saving mechanism for my program, but have a encryption of some sort so that other people can't cheat the saves and change values easily.
I tried using .env, brainlessly, and I failed due to .env for some reason not working for other people (not just not seeing them).

Is there a way to create a save file without other people changing values super easily? (encryption or something)

Please help :|

Comments
hotnewtop
wulv (55)

The .env file is accessible only when its owner executes the repl, so that is why you couldn't access it when you logged out. So, you can't use it to store passwords. But, here's what you could do:

  • In one file (or table if you are going to use a database) store all the passwords, but hashed (with MD5 or SHA or something similar). When a user tries to log in, re-hash the password they enter and check if the hash is equal to the stored hash. Because hashes are irreversible, no one will be able to get other users' passwords, but the login will still work.
  • Since the passwords are safely stored and cannot be retrieved by anyone, you could encrypt each user's data with a reversible encryption algorithm (like AES) and use the user's password as a key. That way, the user can unlock these data only by logging in. To make it even more secure, you could also use a key derivation algorithm like scrypt.

And that's it! You have a fully secure storing system! For the hash algorithms, you can use Python's built-in library hashlib (see more here), and for the reversible encryption you can use cryptography or pycrypto.

Warhawk947 (542)

@wulv wow, couldn't have said it better...

Alois (13)

@wulv Oh wow! That was one helpful comment haha

Well thanks a crap ton!!!
I appreciate it, and I'll definitely try using these methods...

Also, wouldn't the user be able to change values if they had the key to their own save file? Just a thought...

I'll look into hashlib and stuff, but I'm still a teensy bit confused on the specifics. This did narrow a lot down though, and I'll use it because of how helpful it was haha

Thanks again! ;D

wulv (55)

@Alois Repl.it doesn't allow to modify other peoples' files, so even if a user unlocks their save file, they can't change it. You can test it in any random repl if you'd like.

If you've got any more questions on the topic, don't hesitate to mail me: [email protected]

CoolJames1610 (665)

If you get a good solution, please tell me :D

Alois (13)

@CoolJames1610 haha look at the top solution by wulv... It's definitely the best one and I'm gonna use it. My program will be public so you could use that as a base to see how it works.

It's all summed up in wulv's solution (top solution)

earwarmers (7)

You can encrypt it into a .dat file* using the pickle module, but to do that, you would have to save your variables as a dictionary.

*This might not be the answer - I probably read your question wrong.

xxpertHacker (785)

If this answers your question, then click the check mark on the left side of this comment

So, you're trying to prevent someone from just changing the value something in a game.

I presume that the game doesn't involve real currency (yet), it isn't connected to a massive database, hackers won't care to get involved.

You obviously don't need military-grade encryption.

Do you need true encryption at all?

What if you used something way simpler?

Maybe just converting everything in a string to a number, then reversing this?

It happens to be, I had encountered a Python Repl recently that might be enough for your needs.

A Secureish EncoderDecoder

Is there a way to create a save file without other people changing values super easily? (encryption or something)

This is the "or something" answer for you. Also, using true encryption and decryption will slow down the program, that's something to keep in mind when developing your game.

xolyon (341)

search up how to use encryption in Python or the cryptography import

MarcusWeinberger (680)

As long as the source code of the program is open, there isn't a way to do it.

Alois (13)

@MarcusWeinberger This isn't necessarily true, due to non-accessible data or hashes being used for keys... I mostly got my answer though!

MarcusWeinberger (680)

@Alois Ah well hashing and encrypting are two very different things, but I'm glad you found a solution!

xxpertHacker (785)

@MarcusWeinberger Well, he can make the Relp private.

xolyon (341)

Just search it up on Google I found a pretty good simple tutorial , I could give it to you but it explains it much better

Alois (13)

@xolyon uhhh...

that wasn't especially very helpful...

could you find it and link it here?

xolyon (341)

@Alois ok , btw the data can still be edited but unless the user knows the key its impossible , you could also create a check digit algorithm (last digit checks if numbers are correct) then itwould be impossible to breakthrough and not worth the effort

check digits are pretty easy to make but if u need help u can tell me

here's the link to encryption through the import cryptography

https://www.youtube.com/watch?v=H8t4DJ3Tdrg

Alois (13)

@xolyon yea I was thinking about the 'check digit' thing... Didn't know it really existed as a term like that. Well, anyway, I'm watching the video right now... I think I need to do this step by step i don't need the check digit thing yet, I just need to have a value that no one else can see so i can use it as a key really... Any other method would be good.

Anyway, thanks!

Any advice on the actual 'encryption' part tho?

Alois (13)

@xolyon i'm looking into the cryptography and it looks like a good option so far... Does repl.it hide the key? It's obviously necessary to be able to use it even so...

Alois (13)

@xolyon I see how this could be used, but is there a way for other people to not have access to the key? Like a database or hidden value saved somewhere for encryption and decryption.

Sorry about the like 200 replies lmao, for some reason i can't edit or delete them... odd...

Is there a reliable method for saving the key or something without people having access to it? or not being able to open or read it?

Alois (13)

@xolyon how can I use the key but not have it visible to other people?

xolyon (341)

@Alois well encryption works in keys and because you cant privatise certain parts of your replit files (the key or encryption/check digit program (which is a fun fact used in all bar codes)) that means you have to make it as hard as confusing as possible for it not to be worth their time because ultimately if the private key is access the encryption is quite easy to crack.

I made a program a while ago which created a random number, the last number was check digit and the last number was the serial number and because it was randomly generated it was really hard to crack (the series number was like check digit for which variables to decrypt) - dunno if you wanna use that

xolyon (341)

@Alois , no you cannot hide the key (in replit , python , NodeJS and some Flask(python nodeJS) thingy have server things nd kinda allow that.

make it as hard as possible for them to change data, like check digits or encrypting the key with its own key etc

Highwayman (1460)

Hum there is supposed to be some kind of extension for SQLite that encrypts the database for you... but in your case it doesn’t seem like that’s going to be very helpful....

You could obfuscate your code and then encrypt it with a visible key maybe. It’d at least making it harder to figure out how to cheat the game, but that’s about all I can think of.

MatthewDoan1 (335)

@Highwayman

Are you ready for the first episode of:

MATTHEW'S SIMPLE ANSWERS

?

Well guess what: my solution would simply be:

  1. Encrypt the data using some random key
  2. When decrypting, just generate random keys until the data makes sense!

Simple, right?

That's all for today, folks!

Tune in next week for the next episode of...

MATTHEW'S SIMPLE ANSWERS!!

Alois (13)

@MatthewDoan1 What about hackable seeds? Also this doesn't work at all, since you can brute force it. It also would take a while to load due to my 222x key, which is nearly unbreakable (kinda).

Also I have no good way of 'generating random keys until the data makes sense' since my values should mostly be raw and encrypted directly without assignment...

MatthewDoan1 (335)

@Alois Ahh, I see... Well, ignore me then heh

Alois (13)

@MatthewDoan1 lmao
Well... Got a way to hide a value/key (without other people seeing it) that actually works lol

I can't seem to get good ideas except hashes but i'm lazy and confused so... motivation 0 basically

MatthewDoan1 (335)

@Alois Oh yeha, if wolv answered your question then you should check the little checkmark next to his answer. That marks his comment as the answer so yeah