rt2zz / redux-persist

persist and rehydrate a redux store
MIT License
12.96k stars 865 forks source link

Adding ability to encrypt storage data #274

Open kappa-gooner opened 7 years ago

kappa-gooner commented 7 years ago

Do you have near term plans to incorporate encryption onto the storage data? https://github.com/jas-/crypt.io

In this case, we could pass an additional attribute in the persistConfig to persist the data with encryption (The flag could either be the machine's UUID or a user set passphrase)

var pass = window.prompt("Please enter password...", "a custom password");

var persistConfig = {
  passphrase: pass
};

persistStore(store, config, callback);
rt2zz commented 7 years ago

I think this can be achieved today using https://github.com/maxdeviant/redux-persist-transform-encrypt, although that uses crypto-js not crypt.io.

Looking at crypt.io it I think could work with some adaptation, but the one method it is missing is getAllKeys. This could theoretically be achieved by saving a separate known key which stores all other keys, but that would require some adaptation in redux-persist core. Open to PRs!

robmoorman commented 7 years ago

I've implemented the idea @rt2zz earlier and it's working quite well (it passes security audits). For iOS we use a passphrase stored in the KeyChain on Android on KeyStore. With that passphrase we encrypt/decrypt data via redux-persist.

Two things to keep in mind

Planning to make this mechanism open-source, as it's battle tested for some months now in different production apps.

rt2zz commented 7 years ago

@robmoorman wow very interested in your implementation. is it materially different from https://github.com/maxdeviant/redux-persist-transform-encrypt ?

As for lock/reboot locking the keychain is there a workaround? do you keep the data you need in the background in a non-encrypted store?

robmoorman commented 7 years ago

Hi @rt2zz it's an addition to https://github.com/maxdeviant/redux-persist-transform-encrypt as the secretKey comes from the KeyChain/KeyStore (auto-generated by the device), so it's not stored in the JS bundle on device.

There is a setting for iOS, yes. To adjust that the keychain can be accessed in this case. I used this, but you can see what the settings is like: https://github.com/oblador/react-native-keychain/blob/master/RNKeychainManager/RNKeychainManager.m#L85

More info here: https://developer.apple.com/reference/security/ksecattraccessiblealways

I'll inform you when this package is ready (need it for a project right now, so planning to make it open-source).

enahum commented 7 years ago

@robmoorman any progress on your project?

patrickkempff commented 7 years ago

@robmoorman i am also interested in your approach. Any possibilies you can share some more information? 👍

robmoorman commented 7 years ago

He @patrickkempff haven't got the time (yet) to work on this. You can watch my eact-native-redux-secure-storage repo, I'll place it over there.

phillbaker commented 7 years ago

I missed it the first time I read the readme, but if you're on react native redux-persist-sensitive-storage also looks like a good candidate.

taranda commented 6 years ago

@robmoorman Have you had a chance to open source your react-native-redux-secure-storage?

patrickkempff commented 6 years ago

Here is a very simple implementation using react-native-keychain: https://gist.github.com/patrickkempff/86f44f017568a973f5c041b205e4365c

vidhyeshpatil commented 6 years ago

I need to encrypt all my reducers using redux-persist (in that I am using persist-store) in which all my data is stored in browser local-storage. When I see my browser local-storage, I should able to see my data encrypted, once it gets passed from persist-store and stored into local-storage.

Can you please help me with some examples.