1

I really enjoy using Firebase, and I would like to use it in a new app, but the app would have the user upload sensitive information.

I know Firebase uses https, but looking around, it seems Firebase does not yet make encryption at rest available.

Is there a way around this to use Firebase and still make an administrator unable to read the data from the Firebase Forge, for instance?

Thank you.

MScottWaller
  • 3,321
  • 2
  • 24
  • 47

1 Answers1

2

If you encrypt all data that you store in Firebase with a key that is only known to the client, it will not be readable by anyone but that client.

Update (20160528): As of a few months ago all data for the Firebase Database is also encrypted at rest.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • That makes sense. Would there be a way to export that encryption key to someone else, so that the person who needs the sensitive information for an application could read it? – MScottWaller Feb 29 '16 at 20:36
  • There are many ways to do that. If the secret is shared between all clients, you could simply keep it in the application code. If different parties in the app need separate keys, then you should set up some sort of "shared secret exchange". A search for that term will give quite some good options. – Frank van Puffelen Mar 01 '16 at 07:33
  • 7
    @FrankvanPuffelen that update is good news, is there an official source for for this info? could not find any info about this on the firebase.google.com website – Mark Camilleri Jul 11 '16 at 14:11
  • 3
    @FrankvanPuffelen I know you work at Firebase but is there any official source on firebase website that can be quoted if needed? – Chintan Patel Oct 20 '16 at 17:31
  • 1
    @FrankvanPuffelen I'm +1 the question above me , an official documentation will be great for us in terms of compliance. is there a source we can use? – Rotem Slootzky Dec 04 '16 at 06:45
  • 2
    @FrankvanPuffelen Is the Google Cloud Platform encryption at rest page - https://cloud.google.com/security/encryption-at-rest/ - also applicable to Firebase? – Alankar Misra Dec 27 '16 at 20:36
  • in addition to the @AlankarMisra question, is it possible to manage keys with CMEK options, or CSEK options? or only the default options? – ykorach Mar 05 '19 at 07:47