General question about encrypting data and storing api keys securely
Unanswered
@ts-ignore posted this in #help-forum
I got a task at work which requires encrypting everything but users should be able to see the data through a dashboard.
The users will be able to use api keys to connect our api and create records.
The API key which will create the record will only be shown once to end user but how can I keep them safe in db so even if my db gets leaked by any chance, no one abuses it
Redirect me to any resources/code examples.
Thanks for your time
The users will be able to use api keys to connect our api and create records.
The API key which will create the record will only be shown once to end user but how can I keep them safe in db so even if my db gets leaked by any chance, no one abuses it
Redirect me to any resources/code examples.
Thanks for your time
19 Replies
Sun bear
well you should treat api keys the same as passwords, so look into argon2id for hashing them.
Sun bear
you should also use the most optimized hashing library for your runtime to save on computing cost
for node.js it is recommended to use @node-rs/argon2 (if you are using turbopack, this package won't work and you should instead use argon2 which will be a bit less performant), and for bun you should use Bun.password
also make sure when hashing the password that you at least use the following parameters of the argon2id hashing algorithm in order to make your keys safe:
{
"memoryCost": 19456,
"timeCost": 2,
"outputLen": 32,
"parallelism": 1
}Bookmarking this
yeah I also had this in mind for api keys but I am skill skeptical about the data itself
@@ts-ignore I got a task at work which requires encrypting everything but users should be able to see the data through a dashboard.
The users will be able to use api keys to connect our api and create records.
The API key which will create the record will only be shown once to end user but how can I keep them safe in db so even if my db gets leaked by any chance, no one abuses it <:Thonk:264701195573133315>
Redirect me to any resources/code examples.
Thanks for your time
Encryption requires a secret key so even if you store something encrypted, you still need to store the secret key somewhere safe.
The encryption can be symmetrical or asymmetrical.
Depends on how complex you want it to be.
The encryption can be symmetrical or asymmetrical.
Depends on how complex you want it to be.
argon2id is not encrpytion but its a hashing algorithm
I was thinking of using RSA where pub key will be in my db and private key will be in user's browser(so they can see the items in dashboard)
If you want thay only the users can see the data then the user must store the private key.
But if your company want to also see the data then its no different from not having encryption imo
But if your company want to also see the data then its no different from not having encryption imo
that private key will also be used as API key but then the problem is if user regens the key, the older data won't be visible
Yeah, if users regen the data there needs a mechanism to reencryp the entirity of that users data
which can only happen by looping over the whole data which is very inefficient
But is not like user data regen happens a lot right
yeah but still
My bank app doesnt allow more than one device.
Anytype cant regen their private user-side key,
So i think its a common compromise
Anytype cant regen their private user-side key,
So i think its a common compromise
yeah I think I will have to compromise somewhere
so I asked gpt and claude about this and they told me to:
- encrypt data with AES
- encrypt AES key with RSA key pair
- store public RSA in my db, AES encrypted key and private key in something like AWS KMS
So if user lost access to their key, get that key from AWS, use it to get AES key, encrypt AES with new key pair and save it again in AWS KMS
- encrypt data with AES
- encrypt AES key with RSA key pair
- store public RSA in my db, AES encrypted key and private key in something like AWS KMS
So if user lost access to their key, get that key from AWS, use it to get AES key, encrypt AES with new key pair and save it again in AWS KMS
this way, the data is accessible even after the user leaked/lost their key