Ad

Can Encryption Keys Be Stored In A User's Google Account When Using Firebase Auth?

I have an app running on Firebase web, with Realtime Database, and Auth with Google as the sole auth provider. I want data to be readable only by the user, so while I understand Realtime Database provides secure transmission and server storage, I don't want myself to be able to look at user's information as well in my Firebase console.

End-to-end encryption storing keys on the user device is not an ideal solution, since I want users to be able to access data across multiple devices.

AES encryption seems to be the best solution, but then the usual problem arises of where to store the keys.

My theory

If each user has a separate encryption key for their data, and I could store it in some 'web app data' part of their account, I could store their key (encrypted) on their account. My app and server therefore does not store their key, and the user does not need to explicitly store or remember anything, and yet the key remains solely in their possession (via their possession of their Google account). I would be responsible for storing the key to decrypt their key for my database though.

My question

Though I understand asking for an analysis of this theory is not strictly programming related and is a somewhat open-ended question, I would at least like to get a sense of the feasibility of this solution, and whether it is possible programming-wise.

Thank you!

Ad

Answer

It appears Google Drive App Data offers a potential solution making this a feasible method. https://developers.google.com/drive/api/v3/appdata

By requesting a https://www.googleapis.com/auth/drive.appdata scope during OAuth, an app can create an app data folder inside the user's Google Drive. An encryption key for user data seems like it can be stored in there then, without it being visible / tampered by the user, just in their possession at least.

Ad
source: stackoverflow.com
Ad