Yes this is possible, if you replace the concept of a “password” with a “private key”. (This is not, strictly speaking done with a password. In the case of PGP and other such solutions, the password merely allows access to that key.)
No, Django does not provide anything like this.
Beware - key management for something like this is a whole industry onto itself. To the extent of my knowledge, the need to regenerate keys from either party requires both parties to receive new keys.
Also, keep in mind that every pair of “User – Financial Management firm (?)” requires a unique set of keys. (It’s not clear from your description here whether “Financial management” is one entity or many.)
I haven’t been in that side of the business for a long time, I don’t have any specific recommendataions - just some thoughts for you to consider when looking at the requirements here.
What are the real and underlying requirements and assertions you’re going to make about the security here?
- Are you really saying that you-on-the-server will not have any facility to decrypt that data?
- How will you handle lost passwords / keys?
- What are your DR / BCP processes going to be?
- What are your legal / law enforcement responsibilities regarding retrieval of data?
The full answers to these questions are important to help identify what your options are for solutions to this.
For example, proving that you didn’t somehow keep a copy of any generated passwords / encryption keys is effectively impossible. Be careful of what you assert.
Note 1: Don’t bother posting answers to these questions here - this isn’t a topic that can be adequately answered here. Get professional advice. This all seems simple, until it isn’t, and by then you could find yourself in serious legal difficulties.
Note 2: I’m based in the United States, this general information would only apply there. I have no knowledge of the legal frameworks in any other country. I’m also not a lawyer, what I post here does not constitute legal advice.
If you’re handling financial information, you’re going to need to have your lawyers involved - do not rely upon the legal counsel of a firm you’re working with - they are responsible for their client’s interests and not yours. (If you’re an internal employee with this firm, then they are representing you. But if you are under contract with this firm, they’re not. Of course, if you are an employee of this firm, then a lot of these potential issues go away.)