How to encrypt user data in Firebase
29,975
You can easily do that the following way:
- After user A logs in a random public private key pair is generated on his phone. eg.: use Ecc Curve25519
- The private key from A is stored securely on his phone
- The public key from A is stored in firebase and is accessible to anybody that chats with A.
- If X sends a message to A he fetches the public key from A from firebase encrypts the message for A locally and stores the encrypted message on firebase in the inbox from A
- A downloads the encrypted message from firebase and decrypts it with his private key stored on his phone
(vice versa for A to X)
If A want's to move to another phone or wants to use multiple phones you can do this that way:
- Ask A to define a strong password to encrypt his locally stored private key. (or create a random passphrase and use QR codes for key exchange)
- Encrypt the private key locally (eg.: use AES256) on his phone with the password from step 1 and upload it to firebase. (optional sign it with his private key)
- Download the encrypted private key from the second device from A
- Ask for the passphrase on the second device from A and store the private key securely (optional check the signature with the public key from A)
- Delete the encrypted private key from firebase if no backup is wanted
Related videos on Youtube
12 : 54
Firebase Auth Tutorial #15- Firestore Users Collection
02 : 34
How to encrypt firebase data? | SK Prem Sketchware |
![Firebase Rules Tutorial for your Realtime Database! [PART 1]](https://i.ytimg.com/vi/dx_gkSb-Ch0/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDd_ocvf1ynFY9bteOe-VLPw0yMkQ)
21 : 16
Firebase Rules Tutorial for your Realtime Database! [PART 1]
01 : 01 : 30
Create Android chat message App with End to End AES(Advanced Encryption Standard) method in Firebase
10 : 07
how to encrypt password when insert into firebase - part 3
12 : 02
(Ep 44) 🔒Securing User Data With Firestore Security Rules
09 : 35
Save Game Data Securely to the Cloud with Firebase
Author by
NoNameProvided
Look into problems, you'll find solutions. Look into solutions, you'll find problems.
Updated on July 09, 2022Comments
-
NoNameProvided almost 2 years
I am using the email/password sign in method for Firebase. I would like to encrypt the data users save into the realtime database before sending it to the database. Firebase already handle the user password, but can I somehow use it to encrypt data which can't be decrypted by me only the client? It would be nice if I could achieve it with the client sdk.
So my flow would be something like this:
- User sign in with it's credentials (which is handled by firebase itself)
- User encrypt some data with some unique key, which can be generated only from the credentials or from some data available only for the user, but not me. (this key needs to be persistent between sessions, or after the user changed his password.)
- Data is saved into the database (I cant read it since its encrypted with the user credentials)
- User log in on a different device (the decryption key can be generated right away and data can be decrypted.)
-
Rohit Navarathna almost 8 yearsYou'll need to store the decryption key somewhere. If it's in the database, you can use it. If it's in the client device, you can't migrate it to a different device. Unless the user has some part to play in remembering or transferring this key, i don't see how you can do this without involving the user -
NoNameProvided almost 8 yearsYeah, but if the key could be generated form some unique value of the user auth object which is loaded only after the user is logged in with his credentials then it would work. Sadly I don't know about such a property on the auth object.
-
NoNameProvided almost 8 yearsIt is such a basic requirements tho, I am wondering how others tackled this problem.
-
NoNameProvided almost 8 yearsI am thinking about using some third party log in such google of fb, because their user id is unique, and accessible only after the user logged in, and it cant be checked in the console because there I only can see the uuid generated by firebase. This approach worth a try.
-
Rohit Navarathna almost 8 yearssecurity.stackexchange.com probably has an answer to your question. Maybe this question security.stackexchange.com/questions/91704/…
-
Rohit Navarathna almost 8 yearsIf you do encrypt the database, you can't do any search queries on it
-
NoNameProvided almost 8 yearsI dont need to query
-
andygeers about 7 yearsIf it helps, I wrote a blog post about how I solved this: geero.net/2017/05/…
-
Aftermathew over 7 yearsCriteria #4 was that user could log in with a different phone and be able to access her data. So this does not work. However, it could work if a user password or some other user supplied secret was used in key generation. When you go to the new phone, user would need to re-add in their secret to unlock their data.
-
Hollerweger over 7 yearsit's described in the second part of the answer -
Aftermathew about 7 yearsAhh yes. Indeed it is. Sorry I missed that.
-
Vincenzo over 3 years@Hollerweger Hi, I'm new to encryption and I'm not sure I understood this system correctly . If an attacker gets access to the db, he would have all the users public keys available as in Step 3 we save them in Firebase and will be able to decrypt the entire db right? With the suggested schema A public key can be used by the attacker to decrypt A inbox. And so forth for the rest of the DB. Am I missing something? If I'm correct this will only slow down the app and give users the risk of not be able to retrieve their own data, right? Can you please clarify on this? Many thanks. Cheers.
-
Hollerweger over 3 yearsNo, the public key can only be used for encryption not for decryption. Private key for decryption is not stored on firebase,
-
Vincenzo over 3 years@Hollerweger thanks.. I actually read a bit more about public key cryptography and I understand it better now..
