Where does the WebCrypto API store keys?

C

3

11

I am using the webcrypto API with some success to encrypt messages between server and client (lets assume I need to do this manually).

My problem is that I need to check if a keypair for the user and server already exists instead of generating a new keypair all the time. Is there a way to check if it exists and retrieve it for decryption of server messages?

To clarify, my privateKey is on the browser and publicKey is sent to server.

I have a nodejs server and plain JS front end.

Thanks in advance.

Claw answered 25/3, 2018 at 16:41 Comment(2)

Consider this answer, which was found by googling your title. – Fireback 25/3, 2018 at 18:52

Thanks @JamesKPolk I read that Q but only the first reply... my bad. – Claw 26/3, 2018 at 19:44

G

18

CryptoKeys are not persistent by default. You need to store the keys in the IndexedDB to make them available to the next browser execution.

IndexedDB is a secure storage, keys can be stored, recovered and used without exposing the key material

See https://www.w3.org/TR/WebCryptoAPI/#concepts-key-storage

5.2. Key Storage

This specification does not explicitly provide any new storage mechanisms for CryptoKey objects. Instead, by allowing the CryptoKey to be used with the structured clone algorithm, any existing or future web storage mechanisms that support storing structured clonable objects can be used to store CryptoKey objects.

In practice, it is expected that most authors will make use of the Indexed Database API, which allows associative storage of key/value pairs, where the key is some string identifier meaningful to the application, and the value is a CryptoKey object. This allows the storage and retrieval of key material, without ever exposing that key material to the application or the JavaScript environment

Here you have a full example https://blog.engelke.com/2014/09/19/saving-cryptographic-keys-in-the-browser/

Galton answered 25/3, 2018 at 19:14 Comment(1)

Many resources say that IndexedDB is saved as clear text on the hard disk. How is this considered safe? – Casaleggio 12/9, 2023 at 15:44

C

5

SOLVED:

You can use IndexedDB for storing CryptoKey objects.

I tried plain old local storage and it does not work.

For more info, see:

Claw answered 26/3, 2018 at 19:46 Comment(1)

A little addition: localStorage does not work because it can only store strings. CryptoKeys are not strings, so they cannot be stored in localStorage. – Kreager 5/3, 2019 at 10:38

B

0

You should Use indexed DB to store Keys on the client side. The benefit of using Indexed DB is that you will be able to store keys as they are (mostly in CryptoKey form) and use them after retrieving from Indexed DB.

You won't have to export keys and then transform in some way like base64 encode or JSON encode as in case of other storage options like LocalStorage.

To make indexedDB usage easier, there is a promise based library available which is very often used by the tutorials and posts that cover indexed DB usage

Barnum answered 17/12, 2022 at 17:44 Comment(0)

Recommended topics

Hot tags