How to store encryption key?
Question
I look out many password managers like keeper, 1password, secret-in and I am following secret-in password manager to create my own project and trying to add same features, but got stuck at storing the data of users like his/her secrets, payment secrets in encrypted form. I read encryption model of keeperhere but still didn't understand. Where to store a server side encryption key? I have some data that is symmetrically encrypted with a single key in my database. Rather than hard coding it into my code, I am looking for a safer way to store the encryption key. Where can I safely store it?
1 answers
solution1
0 ACCPTED 2020-12-14 20:03:56
The approach here is quite simple.
You only send encrypted data to the server for storage/backup. The encrypted data received doesn't come with a key.
You need to ensure all encryption and decryption occurs locally on the users device. Thus the user needs to supply the key.
Users aren't good at providing high quality key material, so instead, require the user to provide a password, take that password and pass it through a hash-based key derivation function with parameters that make the function slow (high ops, high mem requirements). An algorithm like pbkdf2 with a strong PRF like HMAC-SHA-2 should be sufficient.
Update: To answer your specific questions, you need to perform the following steps, you will need to use a cryptographic library that supports key derivation from password and symmetric encryption, like libsodium.
- request password from user on first use
- run this password through key derivation to derive a key from it: https://libsodium.gitbook.io/doc/key_derivation
- execute encryption of user data with key: https://libsodium.gitbook.io/doc/secret-key_cryptography
- destroy the key and send data to server for backup
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.