Cryptography Questions

Hi, I’m new to cryptography. I’ve read several articles introducing cryptographic functionalities in Ionic 3 apps. Right now, I’m using:

  1. cordova-sqlcipher-adapter to store tables & db locally in the Ionic 3 app
  2. HTTPS to communicate with a backend server
  3. authentication tokens for every request after password authorization

However, in the above setup, the cordova-sqlcipher-adapter requires a key to encrypt and decrypt the local DB. I don’t want to store that key anywhere - in the source code, locally, or in the server.

From this Ionic forum topic: Cryptography code review wanted
I gather that:
a) js-jose can be used to encrypt & decrypt content
b) Use user’s password with a salt to encrypt and decrypt content
c) Don’t store password or key ANYWHERE

My questions with the above approach of using user’s password for generating a key is:

  • Suppose if I don’t want to ask for a user’s password every time during app launch, what should I do? Will I not be storing the user’s password somewhere in that case? Isn’t it similar to storing the key somewhere, which then makes the app less secure?
  • What is the encryption-decryption logic flow if a user forgets his/her password? How to decrypt the local DB if the user resets password?

Any help in answering the above questions is appreciated.

Thanks for your time!