Re: [w3c/IndexedDB] Encrypted storage (#191)

That's exactly the reason why it is better if browser API support. Key
management.

Today browsers already do password management, credit card management,
payment API management, and even keychain/finger print.

A piece of API or data that only accessible from the trusted code from
trusted origin.



On Thu, Jul 25, 2019, 19:44 Sora2455 <notifications@github.com> wrote:

> You can hack this together with the Crypto API if you have to.
>
> JSON.Stringify (IE8+) -> TextEncoder (polyfillable) ->
> crypto.subtle.encrypt (Edge and up, IE11 if you're willing to handle a
> non-promise result) -> IDBObjectStore.add() (IE10+) saves any JSON data to
> disk encrypted.
>
> IDBObjectStore.get() -> crypto.subtle.decrypt -> TextDecoder -> JSON.Parse
> gets it back out again.
>
> Really, the hard part is key management, as it usually is with these
> things. Personally, I include it in the HTML of the page servers-side,
> retrieve it and remove it from the HTML client-side before any other code
> has a chance to run. If you make sure your key is held in a closure, and
> that you Object.freeze the APIs in question, you should be safe.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/w3c/IndexedDB/issues/191?email_source=notifications&email_token=AAN5UK3DJ7MEGD4H5L4AXATQBGG3HA5CNFSM4DIKJ3K2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2ZHITY#issuecomment-515011663>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AAN5UK54ZJDU2IYQLHHKENDQBGG3HANCNFSM4DIKJ3KQ>
> .
>


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/IndexedDB/issues/191#issuecomment-515059228