I'm trying to find out if there's a way to securely keep encryption keys in memory while using them in my web app. I'm concerned about the security risks since I know browser extensions and other tabs might be able to access the memory of my tab. Is there a way to store these keys safely, like in a key-store? Or can I isolate my tab's memory so that it remains private from other tabs and extensions? I'm new to this topic, so I appreciate any guidance!
4 Answers
Honestly, it's best not to attempt storing sensitive keys like that in the client's memory. Consider using existing secure methods like PKCS#11, which allows you to handle cryptography more securely by using a hardware security module instead of trying to do it yourself.
This isn't possible, no. To ensure security, you should avoid attempting any in-memory key management on the client side.
Unfortunately, you can't ensure memory isolation from browser extensions. The browser is built in a way that everything runs in the same process space; extensions can have elevated permissions. Therefore, it's crucial to avoid keeping permanent keys in client memory and clear them immediately after use.
Don't worry too much; a website can't access another site's memory because each tab operates in its own sandbox. However, be cautious with browser extensions since they run with the user's permissions, which can be a risk. You can use in-memory storage for sensitive data, but remember that cookies and local storage can be accessed by any tabs on the same domain. If you're worried about secret keys, keep them secure and minimize their exposure!
Thanks, this is useful. I just wanted to make sure that the secret keys are not accessible by anything but my web app.