Ask HN: Legality of web app with encrypted database?

1 points by pcarbonn 9 years ago | 1 comment

For a Web App, I'd like to encrypt user entries on the client side before sending them to the server (and decrypt them after receiving them from the server). The encryption salt (chosen by the user) would be saved in the session on the client-side, NOT on the server.

The benefit for the user is that his data is fully protected in case of a server breach. Also, I would have no way to see his confidential data, so he does not have to trust me so much. (On the other hand, I would also have no way to help the user recover his salt if he loses it).

I don't recall seeing that approach used anywhere. Do you know of any reason ?

Is it because of a legal requirement to be able to assist government investigation, and thus be able to read user data saved on the server ??

csixty4 9 years ago |

The most obvious reason is just casually glancing around my office there's two PCs, two Macs, and two phones. Any of them could be in use at a time, and often the only thing that makes this convenient is having them all access the same data on a server somewhere.

Also, I can't lose data on a server if my personal equipment is stolen, damaged, or has a catastrophic hardware or filesystem issue (like hit my Mac a couple months ago). Odds are the server is running much better hardware than I can afford, with much better redundancies.