Encrypted

[ghost]

is this not accepted ?

[dmonad]

Hey @pgte,

Sorry for not answering sooner, I haven't been very active on my Github issues. I think that this PR encrypts data before it is written to the indexeddb database. The encrypt/decrypt function must be provided to y-indexeddb.

My question is this: Assuming we use some kind of password/key to encrypt/decrypt the data, we must store the key anyway somewhere in the browser. So the client is compromised anyway as soon as the malicious code has access to indexeddb.

Is there an implementation that can actually prevent the above scenario?

[pgte]

It's up to the user / app. In the case of the app I'm developing, the key is transmitted via the hash portion of the URL. Also, it can be a key derived from a pass-phrase that is memorised by the user. Or any combination of the above.