Implementation:BerriAI Litellm App Crypto
| Attribute | Value |
|---|---|
| Sources | litellm/litellm_core_utils/app_crypto.py |
| Domains | Cryptography, Data Protection |
| Last Updated | 2026-02-15 16:00 GMT |
Overview
Provides AES-256-GCM authenticated encryption and decryption for JSON-serializable data within LiteLLM.
Description
The AppCrypto class wraps the cryptography library's AESGCM primitive to offer a simple encrypt/decrypt API for Python dictionaries. It serializes data to JSON, encrypts with a 256-bit master key and a random 12-byte nonce, and returns a dictionary containing base64-encoded nonce, ciphertext, and authentication tag. Decryption reverses the process and returns the original dictionary. The class enforces a 32-byte key length at construction time and optionally supports Additional Authenticated Data (AAD).
Usage
Import this class when you need to encrypt sensitive configuration data, secrets, or token payloads at rest or in transit within the LiteLLM ecosystem. Requires the cryptography package.
Code Reference
Source Location
litellm/litellm_core_utils/app_crypto.py (33 lines)
Signature
class AppCrypto:
def __init__(self, master_key: bytes)
def encrypt_json(self, data: dict, aad: Optional[bytes] = None) -> dict
def decrypt_json(self, enc: dict, aad: Optional[bytes] = None) -> dict
Import
from litellm.litellm_core_utils.app_crypto import AppCrypto
I/O Contract
__init__
| Direction | Name | Type | Description |
|---|---|---|---|
| Input | master_key | bytes |
32-byte key for AES-256-GCM; raises ValueError if length is not 32
|
encrypt_json
| Direction | Name | Type | Description |
|---|---|---|---|
| Input | data | dict |
JSON-serializable dictionary to encrypt |
| Input | aad | Optional[bytes] |
Optional Additional Authenticated Data |
| Output | return | dict |
Dictionary with keys nonce, ciphertext, tag (all base64 strings)
|
decrypt_json
| Direction | Name | Type | Description |
|---|---|---|---|
| Input | enc | dict |
Encrypted envelope with nonce, ciphertext, tag keys
|
| Input | aad | Optional[bytes] |
Optional Additional Authenticated Data (must match encryption) |
| Output | return | dict |
Decrypted original dictionary |
Usage Examples
import os
from litellm.litellm_core_utils.app_crypto import AppCrypto
# Generate or load a 32-byte master key
master_key = os.urandom(32)
crypto = AppCrypto(master_key)
# Encrypt a dictionary
data = {"api_key": "sk-secret-12345", "provider": "openai"}
encrypted = crypto.encrypt_json(data)
# encrypted == {"nonce": "...", "ciphertext": "...", "tag": "..."}
# Decrypt back to original
decrypted = crypto.decrypt_json(encrypted)
assert decrypted == data
# With Additional Authenticated Data
aad = b"user_id:12345"
encrypted_aad = crypto.encrypt_json(data, aad=aad)
decrypted_aad = crypto.decrypt_json(encrypted_aad, aad=aad)
assert decrypted_aad == data
Related Pages
- BerriAI_Litellm_Sensitive_Data_Masker -- masks sensitive values for logging rather than encrypting them
- BerriAI_Litellm_CLI_Token_Utils -- reads CLI tokens that may use encrypted storage