1

The app I am implementing will contains highly sensitive user data and as such we want to encrypt the data before saving it, both locally and online (on Gcloud Firestore). I'd like to do this using Envelope Encryption.

Currently I have a Python back-end deployed on Gcloud Run which has the credentials to connect to GCloud KMS. It offers a REST API that I want to use to encrypt the Data Encryption Key (DEK) using a GCloud KMS key as Key Encryption Key (KEK). Currently it can only encrypt simple strings usI do this from a separate back-end instead of from the app itself because as far as I know, there's no safe way to store GCloud Credentials inside the app. The GCloud KMS Client Library does not support Android. Another SO answer touches upon this.

On the Android side I use Tink to create a Data Encryption Key, and I can encrypt my data with it. The last step, and what I can't fully figure out, is how I can send the AEAD Key to my backend. This is what I've already considered:

  • Tink technically already has support for directly working with GCloud, but that would require my app to have GCloud Credentials which isn't secure as mentioned above.

  • I could use a JSONKeyWriter to write a JSON version of the key to a String using a ByteArrayOutputStream, and send this String to be encrypted using my back-end, but for some reason I can't yet explain that doesn't feel right to me.

So I'm a bit stuck. Is the second option still the correct one? Maybe there is another third option I have not yet considered. I don't think I'm the first ever to implement this but I can't seem to find any information on working this way.

Thai Duong
  • 199
  • 8
HDW
  • 308
  • 2
  • 14
  • Can you clarify (1) where the actual encrypted data will be stored, (2) where the wrapped DEK will be stored, and where (3) where you want to be able to unwrap the object and see the decrypted data? I have a couple possible suggestions depending on what you're really trying to do. – Tim Dierks Jan 07 '20 at 19:00
  • @TimDierks (1) I am storing events which consist of some metadata together with some binary files. The encrypted metadata will be stored in FireBase, the encrypted files in Firestore. (2) The wrapped DEK will be stored together with the metadata. (3) I want to decrypt the objects in my Android app. The main purpose is that noone but the user can see its data, but there are multiple users on the same app on the same tablet. – HDW Jan 08 '20 at 07:59
  • Hi HDW, before discussing potential solutions, I'd like to understand your purpose more. If there are multiple users on the same app, I imagine the app must have some way to authenticate users, correct? After authentication, you'd know the identity of the user, and from that you can make sure they can only see their files. I'm not sure why encryption is needed. Is that because you want to back up files to the Cloud? – Thai Duong Feb 14 '20 at 16:49
  • StackOverflow doesn't allow me to edit my comment. Overall, I want to understand the requirements, that is what features your app offers, and what security/privacy guarantees you want to provide to your users. Please email me at thaidn@google.com if you want to share this info in private. We can also talk on the phone or Hangouts. – Thai Duong Feb 14 '20 at 17:00
  • Any update on this? im stuck on the same problem :/ – Ebenezer Isaac Jul 13 '21 at 08:19
  • 1
    @EbenezerIsaac I got into contact with Thai via mail and it turned out envelope encryption for my use case probably wasn't the best fit. I did however end up using my second proposal, the JSONKeyWriter. I can't make any guarantees on how safe that is though. – HDW Aug 03 '21 at 07:27

0 Answers0