How do I do encryption-decryption with server actions?
Answered
Thrianta posted this in #help-forum
ThriantaOP
Hey, pretty new to cryptography so I need some recommendations on how to do it on a standard web app that uses nextjs and prisma. Thanks in advance
Answered by Asian black bear
If you want to encrypt data in your database you apply one of the different algorithms on the data you want to store. For one-way encryption it's actually called hashing, used for passwords for example. In the case that you really need to encrypt the data in the database and make it possible to retrieve the original data you need to use a symmetric-key algorithm.
19 Replies
Asian black bear
Encryption of what?
@Thrianta Hey, pretty new to cryptography so I need some recommendations on how to do it on a standard web app that uses nextjs and prisma. Thanks in advance
you want to protect your server actions?
@Asian black bear Encryption of what?
ThriantaOP
specifically certain columns in my db
@James4u you want to protect your server actions?
ThriantaOP
this too
@Thrianta this too
Asian black bear
This is called authentication, authorization and validation if you're looking to secure your actions. Not encryption.
@Thrianta specifically certain columns in my db
Asian black bear
If you want to encrypt data in your database you apply one of the different algorithms on the data you want to store. For one-way encryption it's actually called hashing, used for passwords for example. In the case that you really need to encrypt the data in the database and make it possible to retrieve the original data you need to use a symmetric-key algorithm.
Answer
ThriantaOP
so how do i do symmetric encryption? what do most devs use?
Asian black bear
You should first evaluate what threat you want to deal with before you implement encryption because it's useless most of the time.
For example if you encrypt data using keys then you need to find a way to secure the keys. But if your app accessing the database using said keys has a bug or vulnerability then the encryption won't do shit.
As such encryption doesn't necessarily mean something is safer. Often it is just used to hide data from unauthorized access such as anonymyzing personal data to adhere for data protection laws etc.
ThriantaOP
alright got it, im new to cryptography so when i tried attempting it on my app i used this https://www.npmjs.com/package/prisma-field-encryption
but i realized it slowed down its performance so i had to look for the actual way to do it
Asian black bear
You won't find anything faster as databases which are designed for fast queries and cannot operate on encrypted data. You are forced to handle this in your app, in this case code written using JS, which is guaranteed to be slower. No abstraction can do this as fast as the baseline database.
It's a tradeoff - if you really need encrypted data you will have to take some perf hits as well as architectural hits.
ThriantaOP
so using this npm package should still be in my options, correct?
Asian black bear
I have no experience with it, I'm merely saying there is no silver bullet that has no impact on performance.
ThriantaOP
in ur own projects have you done something similar? that being doing encryption with a db?
Asian black bear
No, because that wouldn't have contributed to increasing security.
You do it as part of a clear threat assessment and if there is no good reason for it, it's wasteful to implement measures without understanding why you're doing it in the first place.