I am currently working on a service which lets users store client-side encrypted

Question

I am currently working on a service which lets users store client-side encrypted data and access it anywhere. The client connects through a browser and the webapp is written in JavaScript. To easier manage the stored data, I'd like to implement a search function.

The whole concept of the server not knowing what is stored means that data is not searchable server-side. Therefore the data has to be decrypted somehow.

+ Is it safe to decrypt all the data and store it in memory for the time of the clients session (store it in a variable)?

For user-experience related reasons, asking for the users password (encryption key) every time is not something that'd work I'm the long run.

Explanation / Answer

You could use a JavaScript encryption library for the encryption/decryption process, and you could store the unencrypted data in sessionStorage in the browser. Is it secure? Only as secure as your app, the browser, the OS, and the machine it is running on.

Storing the encryption key in the user's browser, let's say in localStorage, so that it persists between sessions, is inherently less secure than asking the user for the key with every session. You might want to offer your users the ability to store the key in localStorage as an option, but I would not make it mandatory.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.