password now encrypts random "data key" which is then used for encryption of the actual data

setup.py

@@ -10,6 +10,9 @@ from builtins import input
 import src.config_provider
 import src.sql
 import src.my_scrypt
+from Crypto.Cipher import AES
+from Crypto.Util import Counter
+import hashlib
 
 config = src.config_provider.getConfig()
 src.sql.connect(config['Document']['documentPath'])
@@ -29,14 +32,25 @@ password2 = getpass.getpass(prompt='Repeat the same password: ')
 
 if password1 == password2:
     # urandom is secure enough, see https://docs.python.org/2/library/os.html
-    src.sql.setOption('flask_secret_key', base64.b64encode(os.urandom(24)))
-    src.sql.setOption('verification_salt', base64.b64encode(os.urandom(24)))
-    src.sql.setOption('encryption_salt', base64.b64encode(os.urandom(24)))
+    src.sql.setOption('flask_secret_key', base64.b64encode(os.urandom(32)))
+    src.sql.setOption('password_verification_salt', base64.b64encode(os.urandom(32)))
+    src.sql.setOption('password_derived_key_salt', base64.b64encode(os.urandom(32)))
 
-    hash = src.my_scrypt.getVerificationHash(password1)
+    password_derived_key = src.my_scrypt.getPasswordDerivedKey(password1)
+
+    aes = AES.new(password_derived_key, AES.MODE_CTR, counter=Counter.new(128, initial_value=5))
+
+    data_key = os.urandom(32)
+    data_key_digest = hashlib.sha256(data_key).digest()[:4]
+
+    encrypted_data_key = aes.encrypt(data_key_digest + data_key)
+
+    src.sql.setOption('encrypted_data_key', base64.b64encode(encrypted_data_key))
+
+    verification_hash = src.my_scrypt.getVerificationHash(password1)
 
     src.sql.setOption('username', username)
-    src.sql.setOption('password', binascii.hexlify(hash))
+    src.sql.setOption('password_verification_hash', base64.b64encode(verification_hash))
 
     src.sql.commit()