undefined | Better HN

0 pointscandiddevmike2y ago0 comments

Envelope encryption, where you encrypt a data encryption key (typically symmetric with AES) with other keys (typically asymmetric with RSA). This is how most password safes like bitwarden work.

0 comments

1 comments · 1 top-level

TheNewsIsHere2y ago

This model reminds me of sealed boxes, so I wanted to add that to this discussion.

Send a public key to the client (say in a secrets input page), your browser encrypts field content with that key, and you receive the ciphertext on the server. You can then decrypt it, discard the sealed box keys, and persist the data however you need. (Presumably something that sensitive would get encrypted with a different key before going into the database, but you could keep the keys around and have each piece of data protected by a different key. This has pros and cons.)

Github Actions secrets are protected in transit to Github using sealed boxes.

j / k navigate · click thread line to collapse