Web app with client-side encryption

Question

I am developing a web application which will encrypt data on the client side, then send the data to a server. The server will store the encrypted data, but will not have the ability to decrypt the data. The point is to keep the client's data secure, so that not even the server hosts have access to the data. This can be guaranteed by the fact that the server only receives encrypted data and never receives the key.

I plan to use Javascript for the encryption and decryption on the client side. Additionally, the connection will be secured with SSL.

I read the article here: http://www.matasano.com/articles/javascript-cryptography/ which suggests that Javascript should not be used for encryption, but it doesn't address my use case.

Is this a secure solution? Is there a way that I can make it more secure?

Answer 1

Take a look at the Host-Proof Hosting pattern (from July 2005).

In A Blink Sketch:

Locked inside data cloud, key at browser.

Solution

Host sensitive data in encrypted form, so that clients can only access and manipulate it by providing a pass-phrase which is never transmitted to the server. The server is limited to persisting and retrieving whatever encrypted data the browser sends it, and never actually accesses the sensitive data in its plain form. It. All encryption and decryption takes place inside the browser itself.

Key points are you need to still use TLS/SSL and have full trust in the host serving both the HTML as JavaScript resources.

Also, Web-browser encryption of personal health information has a solution similar to what you are looking for.