General Security Questions #2
Description
This extension looks super helpful and i'll probably end up using it but i did have some questions around the security/encryption approach. Btw this issue is mostly about me trying to learn more about these security approaches so I appreciate ANY input or advice!
I look through the "storage.js" source and your readme notes. I see that you are storing the "master" encryption key in indexdb as a jwk. From my own research I know it's tricky trying to secure any data in chrome extensions so I'm curious about this approach.
- Given that the encryption key is stored as JWK in the same indexdb is the primary security here obtained by indexdb's same-origin policy where only the extension that created it can read it?
- I can see how this attains "encrypted at rest" so perhaps the main attack vector here would not necessarily be sites/extensions in chrome accessing indexdb but if an attacker gained access to the filesystem itself?
- I'm guess that's why you mentioned
You can separate the encryption key and API keys as needed to ensure maximum security.from which I gather you mean modifying the source code to store the key to some remote (ideally secure) storage option?
I'm exploring options for how to secure user data in a chrome extension I plan on building and what I'm trying to accomplish is that if a user chooses- their data will be encrypted with a key which my api's/service never receives. While my service will "backup"/"sync" their data that data is fully encrypted in my services db but my service never gets their key. They will have to input their key on any other device they log into (via my auth which still has no ability to access their key) otherwise that device cannot decrypt the data it pulls from my server.
My biggest open question is how to make that key both more secure (not trusting user's to hold onto a key or else their data is gone) and yet maintain good user experience. I.e. could I store their master key in any form? (if they encrypt it before sending to me we still need that key now, lol) Basically I'm wondering if there's any way to accomplish a seamless syncing of data without requiring the user to hold onto and input that key into other devices?
Thanks in advance for any input and thanks for making this extension opensource!