I\'m currently working a project that requires me to store sensitive information

Question

I'm currently working a project that requires me to store sensitive information (mainly passwords and other information) on a web server via a standard python/flask website. This information is to be shared with x number of other people on the system where they can decrypt and see the information.

Ideally I'd like to perform all the encryption on the client side and keep the server storing the encrypted data in a way that means the server is never able to decrypt this data.

I was originally envisioning a system similar to that of lastpass, but with the ability to share the same data with other users to be decrypted and viewed by them I can't think of a way for this to work.

Is this possible?

[edited to add more info]

The project i'm working on is actually a password/information management app mainly targeted at companies wanting to manage their internal passwords/info for say server access or software systems with single accounts. I don't think its possible to provide users with the keys to use outside of the system. I was hoping the users password or maybe individual key of some kind would be enough to decrypt the data held in the system but being able to encrypt the data so any users key can decrypt it eludes me. I'm thinking it might not be possible.

Explanation / Answer

Basically, you need to encrypt the data you want to protect using a symmetric key (e.g. AES key). This key is only known to the group of users who are permitted to access the encrypted data on the server.

The key you used to encrypt the data should not be stored on the server. The encryption and the decryption happen on the client side inside the client web-browser there are many JavaScript libraries that implement the AES algorithm.

The hardest part is how you can share the encryption key between the users. In addition, if the same user shares part of his data with two different group of users he might need to use different encryption keys for each group. Note that you don't want to key to be known to the server

So how can we do that. There are two options for key distribution:

See, the technical challenge in your system is how to manage the encryption keys and how you manage the user groups.

You should take advantages of the HTML5 web storage to store the AES keys simply assign for each user a passphrase and use this passphrase to generate a master AES key that you can use to encrypt all the keys in the web storage and other sensitive data on the client side.

Note: the main issue here if the user losses the encryption key. In this case it is possible that he might not be able to recover the encrypted data at the server.

If you post more details about your project requirements we might be able to give you a better solution and maybe a simple one.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.