I would like to encrypt some user data before it's sent to the server. That is, the data will be encrypted on the client side in browser using JavaScript.
My question is, what options are available for storing private keys on the client side (it will be used for decrypting the data when user views it later on)?
HTML5 local storage or just reading local text file containing the key from JavaScript seems a bit off... Is it possible to use personal certificates for this purpose? Or is there any other option?
EDIT:
Slight clarification,
All the sensitive data that needs to be encrypted is generated on the client machine and it should never leave it in plain-text. The data in question is mostly files which user will upload to the server, however we might want to encrypt some form fields as well in the future.
Once the encrypted data is sent to server it is stored in ciphered form and will never be decrypted anywhere else other than the same client machine. For example if the user decides to download his files back, he will receive encrypted files which will be decrypted in browser using JavaScript.
Also it's crucial for us that the Public-Private key pair is generated on the same client machine. This will be done only once manually by the user or with the help of some automated solution.
Bottom line is, private key nor plain-text data should ever leave client's machine.
I would like to encrypt some user data before it's sent to the server. That is, the data will be encrypted on the client side in browser using JavaScript.
My question is, what options are available for storing private keys on the client side (it will be used for decrypting the data when user views it later on)?
HTML5 local storage or just reading local text file containing the key from JavaScript seems a bit off... Is it possible to use personal certificates for this purpose? Or is there any other option?
EDIT:
Slight clarification,
All the sensitive data that needs to be encrypted is generated on the client machine and it should never leave it in plain-text. The data in question is mostly files which user will upload to the server, however we might want to encrypt some form fields as well in the future.
Once the encrypted data is sent to server it is stored in ciphered form and will never be decrypted anywhere else other than the same client machine. For example if the user decides to download his files back, he will receive encrypted files which will be decrypted in browser using JavaScript.
Also it's crucial for us that the Public-Private key pair is generated on the same client machine. This will be done only once manually by the user or with the help of some automated solution.
Bottom line is, private key nor plain-text data should ever leave client's machine.
Share Improve this question edited Feb 6, 2015 at 12:56 orom asked Feb 6, 2015 at 11:09 oromorom 8711 gold badge10 silver badges23 bronze badges 8- 1 You don't need an private key for encrypting, just the public one. – Alex H Commented Feb 6, 2015 at 11:18
- @AlexanderH Indeed the data will be encrypted using public key (which is stored on the server), however it needs to be decrypted later on, when for example, user wants to view it. Hence the need to store the private key client-side in browser. – orom Commented Feb 6, 2015 at 11:32
- Then you need a secound pair of keys, i would say. Eveything else is like using no key – Alex H Commented Feb 6, 2015 at 11:43
-
1
Why do you think
localStorageis not a good idea? – Artjom B. Commented Feb 6, 2015 at 11:48 - @AlexanderH Why two pairs of keys? Key pair will be generated on the client machine and the private key will never leave it. Only the public is sent to the server mostly because some data will need to be encrypted server side as well. Mutual authentication will be handled separately from all this. – orom Commented Feb 6, 2015 at 12:19
1 Answer
Reset to default 7According to your description the data in files and form fields should only ever be used on the client. There is simply no need to use public-key-encryption in this case. You should use a symmetric block cipher like AES to encrypt this data and send it to the server. The single random symmetric key will be generated in the client browser and stored in localStorage possibly protected by a password (e.g. second layer of AES). The AES key is 128/192/256-bit long binary string and it should never leave the client browser.
I think localStorage is the only viable option, because it is implemented by all modern browsers.
There may be other solutions like browser plugins or even a custom browser, though.