I'm working on a hobby project to build an end-to-end encrypted (E2E) messenger website. The participants exchange keys using a Diffie-Hellman key exchange (DHKE), but I'm unsure about the best way to store the exchanged keys. I'm considering two options: encrypting and storing them in the local storage of the users' devices or keeping them encrypted in my backend database. Are these options secure enough for a hobby project, or are there better alternatives?
2 Answers
You really should only store the keys on the client's device. Storing them elsewhere kind of defeats the purpose of end-to-end encryption. Since DHKE gives you a shared secret, it's meant to stay on the client side. You might want to look into using ephemeral keys for even more secure communication.
Storing keys only in memory on the client is a good move. Keep in mind that the lifespan of these keys is usually short since they're meant for a single communication session, not for identifying clients. It's best to avoid long-term storage.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads