Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unclear docs regarding encryption #595

Open
slavko-lukic opened this issue Oct 31, 2023 · 13 comments
Open

Unclear docs regarding encryption #595

slavko-lukic opened this issue Oct 31, 2023 · 13 comments

Comments

@slavko-lukic
Copy link

Screenshot 2023-10-31 at 13 57 36

Based on this sentence in the docs, it is not clear to me if data I save with MMKV is encrypted and safe or not.

Is data encrypted by default or do I need to set encryptionKey explicitly in order for it to be encrypted?
What's the point of setting encryptionKey through props when app could be reverse engineered and key would be compromised?

@jeremiebardon
Copy link

+1 we actually have the same concern in my team.

How to encrypt and secure the storage to be able to put sensitive information in it, should we ask a token to our Backend and make a rotation of this encryption key or is it already handled by MMKV ?

@francesco-clementi-92
Copy link

I don't think it's in the scope of this package to provide a way to safely store the encription key.
However, I suggest to study react native documentation about storing secrets: https://reactnative.dev/docs/security
The common use case is to use for example https://github.com/oblador/react-native-keychain or get the encryptionKey from your backend (HTTPS protocol mandatory of course and protected by authentication)

@mrousavy
Copy link
Owner

100% agree with @francesco-clementi-92 here!

@slavko-lukic
Copy link
Author

@mrousavy I agree as well, my concern is only that docs are bit unclear about that.

@NilsBaumgartner1994
Copy link

Is there any way to create and save a key locally in order to use the encryption feature safely?

@foureight84
Copy link

100% agree with @francesco-clementi-92 here!

Definitely agree. However, if a key is lost then is there a way to clear out the encrypted instance? Since you won't be able to create a new instance with the same id and different encryption key. This is my understanding from reading through an older issue post but I want to verify.

@theabhishek2511
Copy link

theabhishek2511 commented Mar 29, 2024

Is there any way to create and save a key locally in order to use the encryption feature safely?

@NilsBaumgartner1994 generate a key separately using a key derivation function based on some randomness and some user dependent parameters (like their uid), encrypt mmkv using said key, then save it securely.

some libs are available for kdfs, like react-native-argon2.

to save the key use either android's keystore and ios' keychain, or just use react-native-keychain or expo securestore if you're on expo.

@slavko-lukic
Copy link
Author

Is there any way to create and save a key locally in order to use the encryption feature safely?

@NilsBaumgartner1994 generate a key separately using a key derivation function based on some randomness and some user dependent parameters (like their uid), encrypt mmkv using said key, then save it securely.

some libs are available for kdfs, like react-native-argon2.

to save the key use either android's keystore or ios' keychain, or just use react-native-keychain or expo securestore if you're on expo.

This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain.
One good way I found is combination of keychain and zustand where keychain is used as persist storage.
In that case, data is stored securely in the keychain, you decrypt it once at app start when you hydrade the zustand store, and than you can read the data from memory without the need to decrypt it every time.

@theabhishek2511
Copy link

This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain.

I don't think it's a good idea to use keychain to store large data (consider the name referring to a store/holder for keys). ios' security daemon doesn't like having to work with data more than 4kb, for example.

imho it would still be more robust to use mmkv storage to store your actual encrypted data, alongside keychain to store the key you encrypted mmkv with. especially if you are generating keys locally and not deriving them from a server token or whatever.

@NilsBaumgartner1994
Copy link

This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain.

I don't think it's a good idea to use keychain to store large data (consider the name referring to a store/holder for keys). ios' security daemon doesn't like having to work with data more than 4kb, for example.

imho it would still be more robust to use mmkv storage to store your actual encrypted data, alongside keychain to store the key you encrypted mmkv with. especially if you are generating keys locally and not deriving them from a server token or whatever.

True, even considering saving something in web would make the process easier.

but what I would like to wish would be a in app written key saver. So we don’t have to reimplement the same key saving mechanic for android, web and iOS.
Would be easier for many to use mmkv

@ericlewis
Copy link

This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain.

I don't think it's a good idea to use keychain to store large data (consider the name referring to a store/holder for keys). ios' security daemon doesn't like having to work with data more than 4kb, for example.

imho it would still be more robust to use mmkv storage to store your actual encrypted data, alongside keychain to store the key you encrypted mmkv with. especially if you are generating keys locally and not deriving them from a server token or whatever.

I was curious about this, since it's such an old comment you are referencing, and I can reliably save 100 megabytes of data in keychain. Using the same testing method. Not sure if device dependent, but likely OS dependent.

@NilsBaumgartner1994
Copy link

This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain.

I don't think it's a good idea to use keychain to store large data (consider the name referring to a store/holder for keys). ios' security daemon doesn't like having to work with data more than 4kb, for example.
imho it would still be more robust to use mmkv storage to store your actual encrypted data, alongside keychain to store the key you encrypted mmkv with. especially if you are generating keys locally and not deriving them from a server token or whatever.

I was curious about this, since it's such an old comment you are referencing, and I can reliably save 100 megabytes of data in keychain. Using the same testing method. Not sure if device dependent, but likely OS dependent.

https://docs.expo.dev/versions/latest/sdk/securestore/

„ Size limit for a value is 2048 bytes. An attempt to store larger values may fail.“

@NilsBaumgartner1994
Copy link

So this is still an issue right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants