I’m building a chat application which uses RSA encryption for the majority of its encryption needs. I’d like to allow users to log in from anywhere with a username and password, but this means the client doesn’t have immediate access to the private key, meaning it would need to be stored server-side. So my question is, is it safe to store a user’s RSA secret key on the database, so long as it is symmetrically AES encrypted against their password?
I’ve considered making users log in with a mnemonic phrase, which the seed could be used to derive the private key client side, however, this feels clunky, as the user is still required to set a password which is used for authentication.
Although bulky, an alternative I am considering is to generate a new public/private pair for each app instance, and store only the public keys on the server. I’d like to avoid this approach if possible for the sake of reducing the amount of data associated with each user.
You need to sign in to view this answers
Leave feedback about this