Encryption using Deno KV and OAuth?
I'm creating a note-taking app using most of Deno's tools. I was thinking about encrypting user notes for additional privacy. The problem I have is that I don't know how to generate and manage the encryption keys without somehow storing them in the server. If anyone has any pointers on how to achieve this I would love to hear it, thank you.
5 Replies
You need key to encrypt/decrypt. 3 possibilities for me, key
- can be hard coding (bad way)
- get from .env
- store it in KV
The encryption key needs to be external to the code and the KV store. Options to supply this typically include passing in the encryption key via an environment variable or CLI argument.
@foobar @cknight I think an env variable would work great, thank you for your input
For my knowledge, why put key in kv store could be wrong ? effectively, in env variable nobody can see the key, in kv store, only admin can see it
If the KV store can be remotely accessed then anyone can get the key and decrypt the data. Best practice would be to store the key separately from the encrypted data
For example you can also store backups in multiple places without worrying as much about the security surrounding those backups as the data is encrypted and the key is not available in the KV store.