I'm developing a server (Java + Spring) and I want to encrypt users' sensitive data on the database, using a key that's specific for each one.
I thought of encrypting the user's data using their password as a base for the key but...
- I'm only storing hashed (bcrypt) passwords on the database
- User only sends the password to the server when creating their account and logging in. For request authentication it's using JWTs (only containing the user Id, with a strong secret and a low expiration time) generated after each login.
I thought of storing the password as plain text on the database but that leads me to the same problem, if the db gets compromised, an attacker could easily decipher user's content.
Is there any way to accomplish this?