0

I'm trying to encrypt my sensitive data for an application. For the key generation part, I'm using crypto/pbkdf2. I'm generating the encryption key on the fly based on the user supplied password. When a user is created, that's when I'm encrypting the corresponding data of the user with the user's supplied password. However, whenever that particular user tries to access a resource, I've to decrypt the data before showing it to the user. Where do I get the password from, everytime an endpoint is called by that user to access a resource?

Note: I'm storing the hashed password of the user in the database schema, also I don't want to store the encryption password anywhere!

rustyx
  • 80,671
  • 25
  • 200
  • 267
mostlycryptic
  • 197
  • 1
  • 6
  • 20

1 Answers1

0

The typical solution to this is called token-based authentication (or in OAuth terms, Resource Owner Password Credential Flow).

Create a "login" endpoint that will derive the encryption key from the supplied username/password and exchange it for a (time-limited) "access token", storing it in a key-value store with TTL support (e.g. etcd, Redis).

Then each subsequent request will need to supply the access token (e.g. in the Authorization header), which is then used to retrieve the encryption key from the key-value store.

rustyx
  • 80,671
  • 25
  • 200
  • 267