Protecting Python Applications

The following methods exist to protect Python applications using Sentinel LDK:

1.Script Envelope

Script Envelope is an advanced command-line tool for applying Sentinel LDK Envelope protection to Python applications on a Linux or Windows machine.

NOTE    Due to its built-in automation, Script Envelope is the simplest and preferred method for applying Sentinel Envelope protection to your applications.

2.Cython followed by Sentinel LDK Envelope

This method protects Python applications by combining Cython (https://cython.org/) with Sentinel LDK Envelope. This works by first translating your sensitive Python modules into native modules (PYD/SO files) which are then protected using Envelope.

This method provides a higher level of security because the additional compilation step lowers the code’s abstraction level and enables Sentinel LDK Envelope to protect the application as code and not just as data. This results in more sophisticated protection measures. However, this second method is slightly more complicated to set up, as it requires Cython and a working C compiler.

NOTE   This method cannot protect an application's start script, only its Python modules. Therefore, Thales recommends that you place your application's actual entry point inside a Python module and only use the start script to call the module.

You can perform the protection process under Windows or Linux. This section describes how to perform the process on a Linux machine. For information on protecting Python applications under Windows, see Sentinel LDK Envelope for Windows.

3.PyInstaller followed by Sentinel LDK Envelope

This method protects Python applications by combining PyInstaller (https://pyinstaller.org/en/stable/) with Sentinel LDK Envelope. This works by creating a single-file bundled executable using PyInstaller, and then protect the single executable file using Envelope. The protected file can run without installing a Python interpreter or any modules.