Open slavko-lukic opened 8 months ago
jeremiebardon
commented
8 months ago +1 we actually have the same concern in my team.
How to encrypt and secure the storage to be able to put sensitive information in it, should we ask a token to our Backend and make a rotation of this encryption key or is it already handled by MMKV ?
francesco-clementi-92
commented
6 months ago I don't think it's in the scope of this package to provide a way to safely store the encription key. However, I suggest to study react native documentation about storing secrets: https://reactnative.dev/docs/security The common use case is to use for example https://github.com/oblador/react-native-keychain or get the encryptionKey from your backend (HTTPS protocol mandatory of course and protected by authentication)
mrousavy
commented
6 months ago 100% agree with @francesco-clementi-92 here!
slavko-lukic
commented
6 months ago @mrousavy I agree as well, my concern is only that docs are bit unclear about that.
NilsBaumgartner1994
commented
4 months ago Is there any way to create and save a key locally in order to use the encryption feature safely?
foureight84
commented
3 months ago 100% agree with @francesco-clementi-92 here!
Definitely agree. However, if a key is lost then is there a way to clear out the encrypted instance? Since you won't be able to create a new instance with the same id and different encryption key. This is my understanding from reading through an older issue post but I want to verify.
theabhishek2511
commented
3 months ago Is there any way to create and save a key locally in order to use the encryption feature safely?
@NilsBaumgartner1994 generate a key separately using a key derivation function based on some randomness and some user dependent parameters (like their uid), encrypt mmkv using said key, then save it securely.
some libs are available for kdfs, like react-native-argon2.
to save the key use either android's keystore and ios' keychain, or just use react-native-keychain or expo securestore if you're on expo.
slavko-lukic
commented
3 months ago Is there any way to create and save a key locally in order to use the encryption feature safely?
@NilsBaumgartner1994 generate a key separately using a key derivation function based on some randomness and some user dependent parameters (like their uid), encrypt mmkv using said key, then save it securely.
some libs are available for kdfs, like react-native-argon2.
to save the key use either android's keystore or ios' keychain, or just use react-native-keychain or expo securestore if you're on expo.
This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain. One good way I found is combination of keychain and zustand where keychain is used as persist storage. In that case, data is stored securely in the keychain, you decrypt it once at app start when you hydrade the zustand store, and than you can read the data from memory without the need to decrypt it every time.
theabhishek2511
commented
3 months ago This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain.
I don't think it's a good idea to use keychain to store large data (consider the name referring to a store/holder for keys). ios' security daemon doesn't like having to work with data more than 4kb, for example.
imho it would still be more robust to use mmkv storage to store your actual encrypted data, alongside keychain to store the key you encrypted mmkv with. especially if you are generating keys locally and not deriving them from a server token or whatever.
NilsBaumgartner1994
commented
3 months ago This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain.
I don't think it's a good idea to use keychain to store large data (consider the name referring to a store/holder for keys). ios' security daemon doesn't like having to work with data more than 4kb, for example.
imho it would still be more robust to use mmkv storage to store your actual encrypted data, alongside keychain to store the key you encrypted mmkv with. especially if you are generating keys locally and not deriving them from a server token or whatever.
True, even considering saving something in web would make the process easier.
but what I would like to wish would be a in app written key saver. So we don’t have to reimplement the same key saving mechanic for android, web and iOS. Would be easier for many to use mmkv
ericlewis
commented
3 months ago This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain.
I don't think it's a good idea to use keychain to store large data (consider the name referring to a store/holder for keys). ios' security daemon doesn't like having to work with data more than 4kb, for example.
imho it would still be more robust to use mmkv storage to store your actual encrypted data, alongside keychain to store the key you encrypted mmkv with. especially if you are generating keys locally and not deriving them from a server token or whatever.
I was curious about this, since it's such an old comment you are referencing, and I can reliably save 100 megabytes of data in keychain. Using the same testing method. Not sure if device dependent, but likely OS dependent.
NilsBaumgartner1994
commented
3 months ago This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain.
I don't think it's a good idea to use keychain to store large data (consider the name referring to a store/holder for keys). ios' security daemon doesn't like having to work with data more than 4kb, for example. imho it would still be more robust to use mmkv storage to store your actual encrypted data, alongside keychain to store the key you encrypted mmkv with. especially if you are generating keys locally and not deriving them from a server token or whatever.
I was curious about this, since it's such an old comment you are referencing, and I can reliably save 100 megabytes of data in keychain. Using the same testing method. Not sure if device dependent, but likely OS dependent.
https://docs.expo.dev/versions/latest/sdk/securestore/
„ Size limit for a value is 2048 bytes. An attempt to store larger values may fail.“
NilsBaumgartner1994
commented
2 months ago So this is still an issue right?
Based on this sentence in the docs, it is not clear to me if data I save with MMKV is encrypted and safe or not.
Is data encrypted by default or do I need to set encryptionKey explicitly in order for it to be encrypted? What's the point of setting
encryptionKeythrough props when app could be reverse engineered and key would be compromised?