Hi, I’m new to cryptography. I’ve read several articles introducing cryptographic functionalities in Ionic 3 apps. Right now, I’m using:
- cordova-sqlcipher-adapter to store tables & db locally in the Ionic 3 app
- HTTPS to communicate with a backend server
- authentication tokens for every request after password authorization
However, in the above setup, the cordova-sqlcipher-adapter requires a key to encrypt and decrypt the local DB. I don’t want to store that key anywhere - in the source code, locally, or in the server.
From this Ionic forum topic: Cryptography code review wanted
I gather that:
a) js-jose can be used to encrypt & decrypt content
b) Use user’s password with a salt to encrypt and decrypt content
c) Don’t store password or key ANYWHERE
My questions with the above approach of using user’s password for generating a key is:
- Suppose if I don’t want to ask for a user’s password every time during app launch, what should I do? Will I not be storing the user’s password somewhere in that case? Isn’t it similar to storing the key somewhere, which then makes the app less secure?
- What is the encryption-decryption logic flow if a user forgets his/her password? How to decrypt the local DB if the user resets password?
Any help in answering the above questions is appreciated.
Thanks for your time!