Question on encrypting data
Unanswered
West African Lion posted this in #help-forum
West African LionOP
Not related to next, rather a feature I need in my app.
I building an app for a client, they have some very private/confidential data of their users, which they need encrypted before storing in the db, so only the an authorised user can see it and no one else. Need to know the right way to handle this,
1. Since passwords are hashed I cannot use it as a encryption key since the password is only entered on the login event,
2. I could technically store the plain password in the session, but seems very insecure, and a hack
3. The app also has OAuth, which means I cannot rely on password as the encryption key (#2), because there wont be a password when a said user logins with google.
Need some assistance
I building an app for a client, they have some very private/confidential data of their users, which they need encrypted before storing in the db, so only the an authorised user can see it and no one else. Need to know the right way to handle this,
1. Since passwords are hashed I cannot use it as a encryption key since the password is only entered on the login event,
2. I could technically store the plain password in the session, but seems very insecure, and a hack
3. The app also has OAuth, which means I cannot rely on password as the encryption key (#2), because there wont be a password when a said user logins with google.
Need some assistance
6 Replies
Asian black bear
I didn't see the bit about "only that user"
Password vaults often have this goal and mostly use Key Derivation Functions or KDFs to bulk up a password into an encryption key
Basically you would have the client use the KDF to build the big stronk encryption key, encrypt their stuff and then send it to your back end.
To retreive it you would send back the encrypted stuff and they would again derive the key and decrypt their stuff.
It looks like web crypto can do it: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/deriveKey