Migrating existing columns to use django-cryptography

0001_migrate_to_encrypted.py

# -*- coding: utf-8 -*-
from __future__ import unicode_literals

from django.db import migrations, models
from django_cryptography.fields import encrypt

app_with_model = 'account'
model_with_column = 'User'
column_to_encrypt = 'email_address'
column_field_class = models.CharField
column_attrs = {'max_length': 150}
column_null_status = False
temporary_column = f'temp_{column_to_encrypt}'

def replicate_to_temporary(apps, schema_editor):
    Model = apps.get_model(app_with_model, model_with_column)
    for row in Model.objects.all():
        setattr(row, temporary_column, getattr(row, column_to_encrypt, None))
        setattr(row, column_to_encrypt, None)
        row.save(update_fields=[temporary_column, column_to_encrypt])

def replicate_to_real(apps, schema_editor):
    Model = apps.get_model(app_with_model, model_with_column)
    for row in Model.objects.all():
        setattr(row, column_to_encrypt, getattr(row, temporary_column))
        row.save(update_fields=[column_to_encrypt])

class Migration(migrations.Migration):

    dependencies = [
        (app_with_model, '0000_whichever'),
    ]

    operations = [
        # create temporary column
        migrations.AddField(
            model_name=model_with_column.lower(),
            name=temporary_column,
            field=column_field_class(
                verbose_name=temporary_column, null=True, **column_attrs),
        ),
        # allow null entries in the real column
        migrations.AlterField(
            model_name=model_with_column.lower(),
            name=column_to_encrypt,
            field=column_field_class(
                verbose_name=column_to_encrypt, null=True, **column_attrs),
        ),
        # push all data from real to temporary
        migrations.RunPython(replicate_to_temporary),
        # encrypt the real column (still allowing null values)
        migrations.AlterField(
            model_name=model_with_column.lower(),
            name=column_to_encrypt,
            field=encrypt(column_field_class(
                verbose_name=column_to_encrypt, null=True, **column_attrs)),
        ),
        # push all data from temporary to real (encrypting in the processes)
        migrations.RunPython(replicate_to_real),
        # remove the temporary column
        migrations.RemoveField(
            model_name=model_with_column.lower(),
            name=temporary_column),
        # disallow null values (if applicable)
        migrations.AlterField(
            model_name=model_with_column.lower(),
            name=column_to_encrypt,
            field=encrypt(column_field_class(
                verbose_name=column_to_encrypt, null=column_null_status, 
                **column_attrs)),
        ),
    ]

This is super helpful! I'm curious how to make this migration reversible. It seems like all RunPython calls could just have the same function used as the reverse_with argument (ie migrations.RunPython(replicate_to_temporary, replicate_to_temporary),). The problem is the last AlterField operation gets reversed first, which means copying data from the now-encrypted column tries to put encrypted binary data into a text field. Stack overflow is likely a better place for this, but I can't find the post which linked here!

Update: I initially found this gist because I was having trouble with the official example. My Model class required that the encrypt/decrypt python functions to be used as migration operations had this:

for row in Model.objects.all():

Replaced with this:

db_alias = schema_editor.connection.alias
for row in Model.inherit_objects.using(db_alias).all():

Using that tweak in the official example led to a fully reversible encryption/decryption migration. Missy Elliot would be proud!

@thismatters
I keep getting this error

Unsupported lookup 'exact' for EncryptedPhoneNumberField or join on the field not permitted, perhaps you meant exact or iexact?
--