I am using the email/password sign in method for Firebase. I would like to encrypt the data users save into the realtime database before sending it to the database. Firebase already handle the user password, but can I somehow use it to encrypt data which can't be decrypted by me only the client? It would be nice if I could achieve it with the client sdk.
So my flow would be something like this:
- User sign in with it's credentials (which is handled by firebase itself)
- User encrypt some data with some unique key, which can be generated only from the credentials or from some data available only for the user, but not me. (this key needs to be persistent between sessions, or after the user changed his password.)
- Data is saved into the database (I cant read it since its encrypted with the user credentials)
- User log in on a different device (the decryption key can be generated right away and data can be decrypted.)
Can we encrypt data in Firebase?
Firebase services encrypt data in transit using HTTPS and logically isolate customer data. In addition, several Firebase services also encrypt their data at rest: Cloud Firestore. Cloud Functions for Firebase.
How do I encrypt data on firestore?
Firestore automatically encrypts all data before it is written to disk. There is no setup or configuration required and no need to modify the way you access the service. The data is automatically and transparently decrypted when read by an authorized user.
Is Firebase end to end encrypted?
Firebase sends data over an HTTPS connection, so the data is already being encrypted for you. No work required.
You can easily do that the following way:
- After user A logs in a random public private key pair is generated on his phone. eg.: use Ecc Curve25519
- The private key from A is stored securely on his phone
- The public key from A is stored in firebase and is accessible to anybody that chats with A.
- If X sends a message to A he fetches the public key from A from firebase encrypts the message for A locally and stores the encrypted message on firebase in the inbox from A
- A downloads the encrypted message from firebase and decrypts it with his private key stored on his phone
(vice versa for A to X)
If A want's to move to another phone or wants to use multiple phones you can do this that way:
- Ask A to define a strong password to encrypt his locally stored private key. (or create a random passphrase and use QR codes for key exchange)
- Encrypt the private key locally (eg.: use AES256) on his phone with the password from step 1 and upload it to firebase. (optional sign it with his private key)
- Download the encrypted private key from the second device from A
- Ask for the passphrase on the second device from A and store the private key securely (optional check the signature with the public key from A)
- Delete the encrypted private key from firebase if no backup is wanted