On Feb 12, 2014, at 4:28 PM, Alan McKean <[email protected]<mailto:[email protected]>> wrote:
I'm using AES 128 encryption. The key is generated on my Node.js server when the user registers to use the app. ... I struggled with this as a business decision and finally decided I could not safely/economically keep track of the encryption keys. User beware. It sounds like the encryption/decryption is done only by the client, and the server is simply passive storage of the encrypted documents? But in that case, why create the encryption key on the server? By doing that, you're no longer provably unable to read clients' documents. If you changed the system to generate the key on the client (after all it's simply generating a 128-bit random number) you could make better privacy guarantees. Other than that, the system seems sound. --Jens -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/7E84541A-6487-4844-AF2F-9FC4B98C4C25%40couchbase.com. For more options, visit https://groups.google.com/groups/opt_out.
