Encrypting sensitive data

I am storing some sensitive data like personal details of members and I want to make sure it’s rock solid and secure. My thinking is to create encryption keys to encrypt the data and create a decrypt key for each member of staff where their key is encrypted with their password. Is all this possible in Wappler? I want to make sure that even if someone gets all the code and all the data, they still can’t actually access anything important.

I also want to encrypt any uploaded documents/files in the same way.

If your database provides encryption at rest that should help. You can also encrypt pretty much any content with Wappler’s encryption capabilities.

More here: Encrypting & Decryption of information

Thanks @scalaris. Yes, encryption at rest is a given.

What’s the technique for encrypting using their password in a way that staff can still access the data? I need it to use each member’s login password as part of the encryption/decryption process so that even having access to the entire server(s) with all files and data then, without the login details it would all be useless to anyone.

Also, has anyone implemented two-factor authentication within the Wappler security process?

Have you seen https://github.com/cossacklabs/acra ? I have looked into this a while ago, but got distracted by other projects…

The current weak point of encvryption with Wappler, I could think of, is that you hard code the key in your server action. So if someone gets access to your application code, the encryption is useless.

Or you would have to ask for user input of key each time you save the data. but that seemend very prone to error for me.

I think one way for staff still being able to access the data is to store the data twice. Once encrypted with a key provided and only known by end user and one that is known only to staff.

Another way I read about is asymmetric encryption, but I couldn’t figure out how to do this in wappler.

Please note that I am in no way an expert on this topic, but a user struggling with the same questions.

• I think @mebeingken has implemented 2fa in his course on login etc

That’s really helpful. Thanks @jellederijke.

I will do a quick prototype using the techniques I have in mind (combination of symmetrical and asymmetrical encryption with various keys where some require the login password as part of the decryption) and will no doubt post questions as I go.

I’m thinking that Server Connect can handle it and I just create some library action files which do the encrypting and decrypting but if anyone has any further tips then they would be gratefully received.

What I am curious about is how one would handle a situation where a user forgets his/her password. Does that render the data useless?

It would if they were the only user who had access to it. As there would be keys for staff then they would have access to the data so a new key could be created for the user. I’m still working that through, though.

It would mean that the staff passwords (and all users, really) need to be very strong as they would be the only way to decrypt the data.

@George - could this perhaps be a case study with a view to Wappler having the tools to provide this level of security built-in? I think it’s something more and more people will really benefit from.

Hi @sitestreet,
I don’t agree with you.

I had lot of doubt to build a system fully encrypted and how allow people to retrieve the data in case they lost the password.

I think that a staff password that is an universal key in your example would create more problem than benefits. That’s because the staff will be responsible for all the security of the information and could get problem in case of wrong use of the staff password.

Maybe we should see the problem from a different prospective. Why don’t use like in crypto wallet the 12 words that allow to recover your crypto tokens if you loose the password of your wallet?

In this case the system would be fully encrypted and staff would be not responsible for any leak of information avoiding all the problems.

If people want to get an encrypted system, they don’t want someone can access the data, even if it is the most trustable staff in the world.

In case I would suggest a component that encrypt but also generate 12 word (or the 3 QR codes) like are doing in most of the wallets.

That’s my opinion.

Hi @updates. That’s really helpful. This is exactly why I started the thread so I could thrash out possible solutions and methods.

I shall consider your suggestion and come back to you.

Thanks for your input, it’s very much appreciated.

Some initial thoughts. A staff member needs to have access to all the data. That is a given. So a staff login will always have a large amount of access. But I will be including 2-factor authentication to add an extra layer to that.

I m happy you liked the idea and you can come back as you want but I m technically at zero …

I can give just my point of view.

Concerning the needs that someone from staff need to access the data, I can told you what I saw recently:

It was a system studied for management of passport. The passport was stored on the blockchain. The owner of the encrypted data (the passport) receive the request from the other user to access the data. The access of the data then is given voluntary from the owner itself.

I don’t think if I explain myself. But in case I can find some details

Hi @sitestreet,

I was just wondering about this point: are you planning on saving the data twice, so once with pass of end user and once with some code available to staff members? Or do you have some other idea on how to handle this challenge?

bg

Jelle

Hi @jellederijke. My theory is to use multiple encryption/decryption keys. The data is encrypted with a key and the decryption key is stored for each user encrypted using their password. So the decrypt key isn’t stored anywhere, it uses the passwords and a salt. It means the passwords need to be strong and I’ll also use 2fa at the login stage.

Thanks for the swift reply.

I try to understand, but I have a hard time getting my head around it.

Situation 1:
Enduser 101 wants to safe some secret data. So upon saving the data to the database you encrypt it with Wappler’s ‘encrypt with password’ formatter. And when enduser101 wants to safe some stuff, you ask them for their password and with the salt you create a hash of that and use that as a password for encrypt?

This is why I asked if you safe the data twice or something. Because what I don’t understand is that in this situation 1 you would only encrypt the data with enduser 101’s password. Because you don’t know all the passwords of your staff. And they are most likely not on your app at the exact moment of enduser101 wanting to safe some data, and thus cannot input their password for encryption.

Perhaps I don’t understand what you mean, or not thinking straight at all here, but I think I don’t get it, yet.

What happens to existing data when a user changes their password so therefore the encryption key changes?

The user’s existing key is decrypted with their old password and a new one encrypted with the new password.

The data is untouched as that is encrypted with a different key. It’s adding an extra level of keys between user and data.

Not quite. You encrypt the decryption key with their password, not the actual data itself.

Gotcha! Nice

I thought you were encrypting the data with the user’s password not the key itself.

It’s taken me some time to get my head around it all. I’m trying to have a solution whereby even if someone had access to absolutely everything - code, data, hosting, etc. - then they still couldn’t get to any of the data. But it also needs to be flexible and allow for multiple staff to log in and access it. Having a layer of encryption/decryption which uses passwords achieves that but by not using the passwords on the data itself, there isn’t the issue of losing all the data if a password is forgotten or having to duplicate the data for every member of staff.

How I actually achieve all this in Wappler I’m still not sure, though!

Quick Q…
If someone has forgotten their password, how do you decrypt the key? I’m assuming you aren’t storing a plain text version of their password anywhere…

Their existing decryption key can be deleted and a new one created using their new password. This is another reason for having that extra layer.