security - Encrypting user data on App Engine - Stack Overflow
source link: https://stackoverflow.com/questions/6040673/encrypting-user-data-on-app-engine
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our Terms of Service.
I'm writing a web and Android app that allows users to store and access some potentially private data. The transmission of this data over RPC is already protected with SSL. I'm currently storing this piece of data in a Text property, without any encryption. I'm now looking at ways to better protect the storage of the data.
Question 1: Are there any general best practices or tips for encrypting data for storage on App Engine?
One idea I had was to switch the property to a Blob field, transmit only encrypted data over the wire, and do decryption and encryption in the clients (in Javascript and on Android).
For the encryption key, I'm looking at just using the logged-in user's email address provided by the UserService. The user email address is known only when the user is logged in, and the sensitive entity has no reference to the user's email address — only the user ID.
Question 2: Does the user email address make sense as an encryption key? If not, what are other well-known options for encryption keys?
I'm not sure you get a ton of benefit from this. Transmitting the data over SSL is certainly a good idea. If you store the user data unencrypted, someone still has to obtain access to your datastore before they can hijack anything. If you encrypt the data based on properties of the user object, you have to expose that relationship in the client-side encryption/decryption code, so that's essentially public. Someone who obtains access to your datastore and your App Engine source can still decrypt everything, it's just trickier.
One alternative would be to store your encryption key server-side, but take some additional steps to protect it. Permanently prohibit code downloads. Keep your encryption key in source, not in the datastore, but not in source control. Stick it on a USB key, and write a custom deployment wrapper that injects the key into your code at the last minute, deploys, and then scrubs the code. This way, someone who obtains admin rights to your app and access to source control still can't decrypt user data. Your deployment machine is still vulnerable, but you've reduced the attack space.
If you want to go a step further, have users generate their own encryption keys, and store them client-side. Never transmit them to the server. An attacker could still target one user, but no one, including you, would be able to decrypt user data en masse. If users lose their self-selected key, their data is lost forever.
Changing the property to the Blob is really a good idea, in that case, encryption and decryption will be easy. Use some default library to encrypt the data. Coming to your next point, Using email as a encryption key is really a bad idea, You should use the User_id which is available in user object, which is really unique.
Your Answer
Post as a guest
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy
Not the answer you're looking for? Browse other questions tagged security google-app-engine google-cloud-datastore or ask your own question.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK