Level 102
What do you mean by "securely in the browser"? I mean as the browser is on the client computer, they have full access to the key
Nov 12, 2022
7
Level 22
Complete client side encryption/decryption on browser
I am building a file sharing app with encryption.
When a user registers, an RSA key pair is generated. The RSA private key is encrypted with the user's login password (user's login password is not stored, so this process happens as part of the registration). This passphrase encrypted RSA key is stored in DB using laravel encryption.
Now when the user logs in, while authenticating, the user's RSA private key is decrypted using Laravel decryption (still passphrase protected) and sent to the user's browser. The password used by the user to log in is temporarily used to decrypt the private key.
Now I need a way to store this private key securely on the browser until the user logs out. This will be used to encrypt and decrypt files uploaded and downloaded by the user. The goal is to achieve complete client-side file encryption and decryption.
Can you see any flaw in this? And how can I store the private key securely in the browser? I just need to make sure that this key can't be read by third-party extensions.
Level 22
@Sinnbeck I don't mind the user accessing his key. I just don't want any third party extensions accessing it.
Level 102
@mathewparet there is no way to do that sadly as extensions are part of the browser. So they have access to both cookies and local storage
Level 22
@Sinnbeck that's a bummer.
Level 102
@mathewparet sadly yes. The only way you can encrypt and decrypt safely is on the server. Maybe look up the project called zendto. It's a php project that aims to do something similar (but on the server)
Level 50
If it is a SPA application, you can just store the passphrase protected key on the browser. And, every time user re-visits (refreshes) the webpage, you can ask to re-enter the password. Like a lock screen.
There the key is decrypted, and stored only in memory (variable) and used until the user closes the page.
Level 22
Thanks, @niush @sinnbeck for your comments.
I have another question related to this topic - https://laracasts.com/discuss/channels/design/best-design-for-an-encrypted-file-server
Created a new one so I can choose the best answer for the new question as well.
Please or to participate in this conversation.