We are designing a web app where users can share documents with each other. The ultimate goal is to achieve zero trust needed by the users, i.e. client-side encryption makes sure that the servers (or any middlemen) are not able to see any plaintext data. (I am aware of the potential shortcomings of a browser-based encryption solution. We have ideas to counter some of the problems, I may ask about them here later, but I don't want to pollute this question.)
The basic scheme for zero trust would look like this:
- If the user signs up (via OAuth2), their browser generates a random passphrase of 32 base-62 characters.
- That passphrase is used to derive a public / private key using PBKDF2.
- The public key gets sent to the server, the user is prompted with the random passphrase generated under 1. so they can note it down.
- We generate a random key for each document, encrypt that with the public keys of all participants and store that along with the document.
The private key and the initial random passphrase (1.) never leave the client, so there is no way data could be decrypted server-side.
BUT: This is not that convenient for the end-user. If they lose the key (and they most definitely will), then they don't have access to any of their documents. If they log in on another device they have to enter the passphrase. We are dealing with a very diverse user group and most of them are not "tech-savvy" at all, and they should not need to be.
There are BYOK solutions like the ones used by Google Workspace CSE. But AFAICS the user would have to authenticate to another service in order to use our service. That is not convenient either and perhaps just not explainable to our users.
Given that we control authentication - it is provided by Auth0 - is there any way we could possibly store the user's private key anywhere (even third parties) without the user having to authenticate twice?
Also, we are contemplating a mode we call "soft" mode, where we store the private key on behalf of the user using a completely separate infrastructure using an HSM. This would of course violate the zero trust principle, but at least it would protect against data breaches where encrypted documents are leaked. Users can always opt in to the "hard" mode. (There is a problem if a document is shared between a user using "hard" and a user using "soft" mode, basically breaking the promise made to the user using the "hard" mode. We would address that by making it clear and optionally let the user enforce that all participants must use "hard" mode.)
Does this make sense? Are there any directions for further reading? Please excuse me, if I was not able to be concise or clear enough.