https://supabase.com/ logo
#help
Title
# help
a

anon_123

04/13/2022, 3:55 PM
I would like to add a Notes feature to my project. I want these to be encrypted so that not even I as the admin of the DB can read them. Is this possible with supabase? And if so, how would that work? Is the key the password? What if a user looses their password?
n

Needle

04/13/2022, 3:55 PM
Hello @anon_123! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the
/title
command! We have solved your problem? Click the button below to archive it.
🆕 encrypted notes and password loss
s

Scott P

04/13/2022, 4:18 PM
I've been thinking about this recently, and I'm also interested in ideas. It depends on how secure your notes need to be. Are we talking personal, sensitive information, or are we talking shopping lists? Firstly, I would consider doing encryption on the client-side. This means that the data is encrypted before it ever leaves the user device, essentially becoming E2E encryption. Libsodium might be good for this as it supports 'sealed boxes' (https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) and has bindings for different languages. The downside is that if a user loses their password, there would be no way to recover their notes. There is a pgsodium library you could enable in the DB: https://github.com/michelp/pgsodium . It's installed in projects already. This would move the encryption to the DB instead. You'd lose the benefit of E2E encryption with this approach, but the password hash for the user account could be used as the key. The downside of this is that you haven't really protected the data, you've just moved the key elsewhere in the DB. I think the best solution would be to have the users provide their own password, and if they lose it, there's no nice way to recover it.
n

Needle

04/13/2022, 4:18 PM
encrypted notes and password loss
a

anon_123

04/13/2022, 5:32 PM
Thank you for the reply @Scott P . I agree about the E2E being ideal. In my case it's notes anywhere between a diary entry to a shopping list. Unfortunately I cannot see a way of doing E2E without the risk that if a user looses their password then it's all gone. And quite frankly, humans are gonna human and there will be losses of data because of that. Unless of course there is a way of both storing the password in a way that I cannot access and they can. I'm not familiar with such a solution. Altho I had a chat with someone working in Open Banking saying that this can be solved by storing some of the data at a third party. I like the idea but I also gotta ask myself how far I am willing to go for my non existent (and possibly never existing...) users here. After reading your comment I am thinking that I could offer "faux" encryption by storing the encryption key for them so that if they loose it they can get the data back, and E2E where they have to agree that they understand that if they loose their password it's game over! What do you think?
v

valentin ッ

06/15/2022, 5:50 PM
hey, i'm interested if you found a solution to your problem, i'd be happy to hear it