-
-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unclear docs regarding encryption #595
Comments
+1 we actually have the same concern in my team. How to encrypt and secure the storage to be able to put sensitive information in it, should we ask a token to our Backend and make a rotation of this encryption key or is it already handled by MMKV ? |
I don't think it's in the scope of this package to provide a way to safely store the encription key. |
100% agree with @francesco-clementi-92 here! |
@mrousavy I agree as well, my concern is only that docs are bit unclear about that. |
Is there any way to create and save a key locally in order to use the encryption feature safely? |
Definitely agree. However, if a key is lost then is there a way to clear out the encrypted instance? Since you won't be able to create a new instance with the same id and different encryption key. This is my understanding from reading through an older issue post but I want to verify. |
@NilsBaumgartner1994 generate a key separately using a key derivation function based on some randomness and some user dependent parameters (like their uid), encrypt mmkv using said key, then save it securely. some libs are available for kdfs, like react-native-argon2. to save the key use either android's keystore and ios' keychain, or just use react-native-keychain or expo securestore if you're on expo. |
This kinda defeats the purpose of secure mmkv if you are already using keychain, than you can just use keychain. |
I don't think it's a good idea to use keychain to store large data (consider the name referring to a store/holder for keys). ios' security daemon doesn't like having to work with data more than 4kb, for example. imho it would still be more robust to use mmkv storage to store your actual encrypted data, alongside keychain to store the key you encrypted mmkv with. especially if you are generating keys locally and not deriving them from a server token or whatever. |
True, even considering saving something in web would make the process easier. but what I would like to wish would be a in app written key saver. So we don’t have to reimplement the same key saving mechanic for android, web and iOS. |
I was curious about this, since it's such an old comment you are referencing, and I can reliably save 100 megabytes of data in keychain. Using the same testing method. Not sure if device dependent, but likely OS dependent. |
https://docs.expo.dev/versions/latest/sdk/securestore/ „ Size limit for a value is 2048 bytes. An attempt to store larger values may fail.“ |
So this is still an issue right? |
Based on this sentence in the docs, it is not clear to me if data I save with MMKV is encrypted and safe or not.
Is data encrypted by default or do I need to set encryptionKey explicitly in order for it to be encrypted?
What's the point of setting
encryptionKey
through props when app could be reverse engineered and key would be compromised?The text was updated successfully, but these errors were encountered: