search

taoensso / tempel

Data security framework for Clojure
https://www.taoensso.com/tempel
Eclipse Public License 1.0
125 stars 2 forks source link

Encrypt keychain with public key #12

Open Flawless opened 4 months ago

Flawless commented 4 months ago

Hi there,

I was genuinely impressed with your introduction to this library, and now I'm experimenting with use cases to understand its functionality in practice better.

Currently, I'm mapping out the following architecture:

Organizations store sensitive data. Organizations consist of users. Users require access to all sensitive data, managed by the organization.

I've identified two potential solutions:

1) Each user possesses their own keychain, and all data are encrypted with public keys specific to each organization user. 2) All data are encrypted with a single keychain, and users are provided with a copy of this keychain, encrypted with their public keys.

The first approach should work well if data changes infrequently, but in other case it would be expensive to encrypt the data with all the keys on every write. However, if I anticipate frequent updates to the data, the second approach seems more suitable. All data encrypted with one keychain, and each user read it with their own copy of the same keychain. But, I encountered a challenge with encrypting the keychain asymmetrically with the user's public key. To address this, I devised a solution where I encrypt an organization's keychain with a randomly generated key, then encrypt this random key with the user's public key, and share both with the user.

As I was outlining this, I realized that I could encrypt all data with random keys and then encrypt the keys for all users using their public keys. However, this approach resembles the second method I initially described.

Therefore, it would be beneficial if the keychain could also be encrypted with the public key.

And also it would be nice to have a multi-key encryption, that could make such cases much easier to solve without modelling the key sharing architecture manually.

Thank you for your contribution to data security. The situation is worsening these days, and initiatives like yours could help make the internet a safer place. Your efforts are truly invaluable.

ptaoussanis commented 3 months ago

@Flawless Hi Alexander, apologies for the delay replying - and thank you for the kind words and thoughtful suggestions.

Will look at this in more detail and give a proper response next time I'm on batched Tempel work 👍