PGP encrypted messaging coming tomorrow
  • comment-white.png
    *
         PGP encrypted messaging coming tomorrow (self.text)
  • This is awesome. Thanks bro
    2
    reply
  • No, no, no, no don't store private keys in the server, that's almost like having no encryption at all.

    If this is "really" required, I'd suggest to load the pvt key from localstorage then, and ask the user to store that safely.

    As an option though, since not everyone would be "glad" to do that.
    2
    reply
  • privkeys being stored hashed in the db is as secure as passwords being stored in the db.


    it's not like these privkeys are going to be used for anything more than reading messages
    1
    reply
  • if my audience were android users, storing the privkeys locally would be a decent option.


    as it stands, users storing privkeys locally on their devices is probably more insecure for your average user than hashed keys
    1
    reply
  • Keep in mind, the library I'm using, and how I'll be using it, is the same shit protonmail utilizes.


    If I'm understanding how the library works, privkeys created with a passphrase will not even be usuable without that passphrase. No hashing required. In which case, I could even store the entire privkey without concern.


    I'm not 100% sure on that, but this is the impression I have gotten so far when reading the openpgpjs documentation.
    1
    reply
  • yeah after playing around with it, the ui experience of having to re-enter keys is horrible.


    since the security is already only 'good enough', i might as well just store the passphrase after being entered in localstorage... i hate this but idk what else to do


    with an option to toggle it, and warning users of the compromise that has been made for ui.


    anybody who wants anything more secure will just have to roll their own pgp.
    1
    reply