Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:BerriAI Litellm App Crypto

From Leeroopedia
Revision as of 12:08, 16 February 2026 by Admin (talk | contribs) (Auto-imported from implementations/BerriAI_Litellm_App_Crypto.md)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Attribute Value
Sources litellm/litellm_core_utils/app_crypto.py
Domains Cryptography, Data Protection
Last Updated 2026-02-15 16:00 GMT

Overview

Provides AES-256-GCM authenticated encryption and decryption for JSON-serializable data within LiteLLM.

Description

The AppCrypto class wraps the cryptography library's AESGCM primitive to offer a simple encrypt/decrypt API for Python dictionaries. It serializes data to JSON, encrypts with a 256-bit master key and a random 12-byte nonce, and returns a dictionary containing base64-encoded nonce, ciphertext, and authentication tag. Decryption reverses the process and returns the original dictionary. The class enforces a 32-byte key length at construction time and optionally supports Additional Authenticated Data (AAD).

Usage

Import this class when you need to encrypt sensitive configuration data, secrets, or token payloads at rest or in transit within the LiteLLM ecosystem. Requires the cryptography package.

Code Reference

Source Location

litellm/litellm_core_utils/app_crypto.py (33 lines)

Signature

class AppCrypto:
    def __init__(self, master_key: bytes)
    def encrypt_json(self, data: dict, aad: Optional[bytes] = None) -> dict
    def decrypt_json(self, enc: dict, aad: Optional[bytes] = None) -> dict

Import

from litellm.litellm_core_utils.app_crypto import AppCrypto

I/O Contract

__init__

Direction Name Type Description
Input master_key bytes 32-byte key for AES-256-GCM; raises ValueError if length is not 32

encrypt_json

Direction Name Type Description
Input data dict JSON-serializable dictionary to encrypt
Input aad Optional[bytes] Optional Additional Authenticated Data
Output return dict Dictionary with keys nonce, ciphertext, tag (all base64 strings)

decrypt_json

Direction Name Type Description
Input enc dict Encrypted envelope with nonce, ciphertext, tag keys
Input aad Optional[bytes] Optional Additional Authenticated Data (must match encryption)
Output return dict Decrypted original dictionary

Usage Examples

import os
from litellm.litellm_core_utils.app_crypto import AppCrypto

# Generate or load a 32-byte master key
master_key = os.urandom(32)
crypto = AppCrypto(master_key)

# Encrypt a dictionary
data = {"api_key": "sk-secret-12345", "provider": "openai"}
encrypted = crypto.encrypt_json(data)
# encrypted == {"nonce": "...", "ciphertext": "...", "tag": "..."}

# Decrypt back to original
decrypted = crypto.decrypt_json(encrypted)
assert decrypted == data

# With Additional Authenticated Data
aad = b"user_id:12345"
encrypted_aad = crypto.encrypt_json(data, aad=aad)
decrypted_aad = crypto.decrypt_json(encrypted_aad, aad=aad)
assert decrypted_aad == data

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment