I'm working on a web app and want to offer the users the option to "encrypt" their account. This wouldn't encrypt everything related to them in the database. Just certain critical fields.
I've already read D.W.s great response on the issue (https://security.stackexchange.com/a/16961/114330), and in spite of all that, I want to go through with it, because of some key differences:
First and foremost: None of the data I'm encrypting is critically important. This is a toy app, mostly for me to learn from and maybe put on a resume. There aren't any real users.
Secondly, I'm using existing frameworks and technologies. It's a Django app, so I've already got a bunch of protections and some sane defaults like csrf protection. I'm aware that's not magical pixie dust that's going to make my application secure, but "...I'm still learning, and doing the best I can."
With that out of the way, here's how I want to implement it:
- The user registers an account. During the registration, they are given the option for account encryption, and a separate password to use for the encrypted fields.
- Encrypted accounts have a bool
encrypted
, set to true. That is the only difference in accounts on the backend. - When the user logs in, if
encrypted=True
, a prompt shows for them to type in their password, which is stored in client-side memory, and uses browser-side JS crypto (I know, I know...) to encrypt/decrypt the entries.
I want to make sure that nobody but the user can read their own entries, and this seems like a straightforward way of achieving that goal. But, as this is security, there's probably a million ways to do this wrong, and no perfect way of doing this right, so I'm very interested in the opinions of someone more knowledgeable than me, and would be really grateful if someone could point out potential vulnerabilities or areas where things can go wrong.