Question about encrypting data

Josuke

Hello, I want to encrypt all data that users provide. I watched videos on encrypting on the Xano YouTube channel, but I still have questions about keys. I know there is a function to create secret keys, but should I create unique keys when encrypting and decrypting per user? Or should I have a universal key that encrypts and decrypts all users' data? What is the best practice for encrypting/decrypting?

arturosanz

@Josuke it looks like you want to implement some kind of end-to-end (E2E) encryption as in Telegram or other instant messaging services. Only sender & receivers have the secret keys to decrypt the data, so users are responsible for keeping the keys safe. I don't know what kind of front end will you use for your app, but be careful where you store the keys because you can't trust the front end. Better if keys are ephemeral (one-time use preferably). If you need to save those keys for later reuse, then you should store them separately from the encrypted data in secure key vaults. Xano lets you use different storage services besides Xano's database and file storage.

Ray Deck

There are a lot of options for encrypting data at rest. A consequence will be reduced find-ability. Encrypted data will not be searchable - or rather, any process that searches will have to decrypt all the data first.

As for how to decrypt - it depends on what you want to make happen! I've dealt with a couple of different techniques like nested encryption for per-client changeable/revocable keys.

"Encrypt all the data" is possible but rarely what you really want when you put a little pressure on the question, and knowing what fields need encryption and why those are important can guide a reasonable conversation about which tools will accomplish that in a world-class way. If you can share more, maybe we can enlist the wisdom of the group!

Encryption and security is a frequent topic in our work on the hardest 5% on State Change office hours too.

Josuke

I appreciate your comment, Ray! Our app functions as a social networking platform where users may upload information and communicate with one another. We don't want to access the user's info because we want to reduce our liability. The age, name, and email addresses of users as well as the content (text, photos) that they post and all messages (text, images) that they send should be encrypted. Naturally, the content must be decrypted before users can read it in our app, but we do not want our staff to have access to their data stored in the Xano database.

Josuke

Thank you @arturosanz! I am starting to get an idea of how to build my messaging system for my app. I appreciate the response!