Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

End to end encryption with Firestore

Tags:

firebase

google-cloud-firestore

google-cloud-functions

Is there any recommended way to encrypt data in Firestore? Even though Firestore, by default, encrypts data before it writes to the disk, admins still can read data in the console. I am looking to make the data readable only by users who are allowed decrypt it. So it will be unreadable in the console.

One way I think it may be possible is to use cloud functions but I can't find how to modify the data before it gets saved to the disk (beforeWrite hook).

like image 410
alexndm Avatar asked Jan 23 '18 03:01

alexndm

People also ask

Does Firebase use end to end encryption?

Firebase sends data over an HTTPS connection, so the data is already being encrypted for you. No work required.

Can we encrypt data in Firebase?

Firebase services encrypt data in transit using HTTPS and logically isolate customer data. In addition, several Firebase services also encrypt their data at rest: Cloud Firestore.

2 Answers

You'll need to encrypt data on the client devices before you write them into Firestore. When the other device reads up the data, decrypt it.

Key management is what you'll need to spend some time with to implement: Users on both devices need to have private keys locally and public keys accessible to the other users to encrypt messages with. Then you'll need to create a data encryption key to encrypt/decrypt messages in the chat room. This data encryption key, you'll encrypt with the participating users' public keys. And all keys, store in Firebase, encrypted.

Check out these 2 sample apps for a Firestore chat app example:

  • iOS: https://github.com/VirgilSecurity/demo-firebase-ios
  • Android: https://github.com/VirgilSecurity/demo-firebase-android

David

like image 113
David Szabo Avatar answered Sep 20 '22 10:09

David Szabo

The only way to control all access to all data in Firestore (or Realtime Database for that matter) is to perform encryption on the raw data itself before it's even passed to the client APIs or SDKs that perform the write.

It's not possible to hook writes before they actually commit to storage with Cloud Functions. A function will only receive an event after the data is successfully written.

Also, bear in mind that if you encrypt data before it reaches the API, you will be unable to search and sort using that data, because it will no longer represent the original data in any way. All you would be able to do is access a document/location by its unique key (assuming that key is also not encrypted, or the encrypted id is (cryptographically) shared between both parties through another secure channel.

like image 25
Doug Stevenson Avatar answered Sep 21 '22 10:09

Doug Stevenson
Sign in to Comment

Related questions

Read Data From Firebase database
How to login user automatically in iOS swift?
Handling Asynchronous Calls (Firebase) in functions
How to retrieve notification message intent.getExtras() when app is background FCM
Calling async function inside non-async function in React-Native - Firebase
Prevent Search Engine Indexing of Angular 5 Website - Firebase
firebase cloud messaging Request contains an invalid argument
Rate limiting for Google/Firebase cloud functions?
View logs of firebase functions in real time
No virtual method verifyPhoneNumber, FATAL EXCEPTION: main
Wait Firebase async retrieve data in Android
"No such module 'Firebase'" when add Firebase into a library
Android Firebase update only some fields
Finding all docs with specific reference in Cloud Firestore
Cloud Storage for Firebase access error "admin.storage(...).ref is not a function"
Create a reference to a Cloud Storage document in Firestore
After updating iOS, all applications using the framework stopped running on the device, but they run on the simulator
Firebase v8 Typescript definition import for User
Best way to implement push notifications with Firebase
Firebase Authentication : Lookup a user by Email

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!