Fernet Encryption/Decryption

The fernet key should be using urls safe base64 encoding format

Your Support Matters!

Instead of directly asking for donations, I'm thrilled to offer you all nine of my books for just $9 on leanpub By grabbing this bundle you not only help cover my coffee, beer, and Amazon bills but also play a crucial role in advancing and refining this project. Your contribution is indispensable, and I'm genuinely grateful for your involvement in this journey!

Any private key value that you enter or we generate is not stored on this site, this tool is provided via an HTTPS URL to ensure that private keys cannot be stolen, for extra security run this software on your network, no cloud dependency


Fernet guarantees that a message encrypted using it cannot be manipulated or read without the key. All encryption in this version is done with AES 128 in CBC mode.

Key format

A fernet key is the base64url encoding of the following fields:

Signing-key || Encryption-key
  • Signing-key, 128 bits
  • Encryption-key, 128 bits

Token format

A fernet token is the base64url encoding of the concatenation of the following fields:

Version || Timestamp || IV || Ciphertext || HMAC
  • Version, 8 bits : with the value 128 (0x80)
  • Timestamp, 64 bits : It records the number of seconds elapsed between January 1, 1970 UTC and the time the token was created
  • IV, 128 bits
  • Ciphertext, variable length, multiple of 128 bits
  • HMAC, 256 bits : This field is the 256-bit SHA256 HMAC Version || Timestamp || IV || Ciphertext


fernet python example

>>> from cryptography.fernet import Fernet
>>> key = Fernet.generate_key()
>>> key
>>> f = Fernet(key)
>>> token = f.encrypt(b"Hello 8gwifi.org")
>>> token
>>> f.decrypt(token)
'Hello 8gwifi.org'

Using password with Fernet

>>> import base64
>>> import os
>>> from cryptography.fernet import Fernet
>>> from cryptography.hazmat.primitives import hashes
>>> from cryptography.hazmat.backends import default_backend
>>> from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
>>> password = b"password"
>>> salt = os.urandom(16)
>>> kdf = PBKDF2HMAC(
... algorithm=hashes.SHA256(),
... length=32,
... salt=salt,
... iterations=100000,
... backend=default_backend()
... )
>>> key = base64.urlsafe_b64encode(kdf.derive(password))
>>> key
>>> f = Fernet(key)
>>> token = f.encrypt(b"Hello 8gwifi.org")
>>> token
>>> f.decrypt(token)
'Hello 8gwifi.org'


Fernet is ideal for encrypting data that easily fits in memory. As a design feature it does not expose unauthenticated bytes. This means that the complete message contents must be available in memory, making Fernet generally unsuitable for very large files at this time