PVermeer
commented
1 year ago Hi @Damar225,
Thanks for bringing this to my attention.
Encryption.createRandomEncryptionKey() Is just an implementation to generated a random key with the methods provided in tweetnacl-js. It's meant to generated a key on first usage. After that, you provide the key from a trusted source.
You are responsible for saving this key somewhere secure and use it when opening the database. To keep it secure in your app you could:
- provide it from a backend after user is logged in and / or is verified;
- save it locally in an encrypted state that only the correct user can unlock (e.g. with a key based on his password or a separate password / pin).
Since you're using Next.js you can provide it from the backend. Make sure it's not persistent on the client! Watch out for serverless databases with persistence enabled (e.g. Google's Firebase with offline first strategy).
After the key is provided, the app stores the key in memory. Your app should only know about the key after the user is verified.
I will update the docs with this information to make it more clear. If you still have any questions let me know.
Damar225
Hello, First thanks for this great library and its addon.
There is something that is not clear for me about the secret key and encryption, does dexie-encrypted-addon handle keeping the encryption secret key secure/safe?
I saw in the documentation that you are doing this:
// Generate a random key const secret = Encryption.createRandomEncryptionKey();Is doing the encryption this way will be safe/secure? or can any one inspect that secret key and use it to encrypt the database?
I'm using this library with Next.js, thanks.