8 votes

How to handle encrypted text fields?

So, I have about fifteen years of web development experience mainly with classic ASP. Interestingly I never had a client who required any type of encryption other than some very low-level username/password logins for administrative backends.

What I am working on, as a pet project for my friends and family, is a private/direct messaging system that I will write with Go. To be clear, this is not a messaging service like WhatsApp nor Signal. It will be similar to the private/direct messaging that you see here at Tildes or Reddit.

It is important to my friends and family that messages we write to each other be private and secure.

Thus, how would I go about encrypting the messages so that if someone were to get into the server and acquire the database, they wouldn’t be able to read them?

EDIT: At some point I will make the code available through GitLab.

4 comments

  1. [2]
    mat
    Link
    I'm assuming you're talking about more than simple encryption of a text field in a database, so you want robust end-to-end encryption with verification of clients and so on - then in that case the...

    I'm assuming you're talking about more than simple encryption of a text field in a database, so you want robust end-to-end encryption with verification of clients and so on - then in that case the Signal Project has all their specs and some libraries available and that's where I'd start. No sense reinventing the wheel, especially with crypto. If it's the former then good old RSA or Blowfish would be fine. As far as I know most languages have some implementation of those.

    3 votes
    1. suspended
      Link Parent
      Thank you! I'll look into RSA and Blowfish.

      Thank you! I'll look into RSA and Blowfish.

      1 vote
  2. [2]
    ali
    Link
    Could you use something like https://openpgpjs.org/ ? Encrypt and send messages via pgp, you could host the encrypted private keys or just have them saved offline - the risk being that if they...

    Could you use something like https://openpgpjs.org/ ?
    Encrypt and send messages via pgp, you could host the encrypted private keys or just have them saved offline - the risk being that if they lose it, they will lose access to the messages

    2 votes
    1. suspended
      Link Parent
      Maybe? I'd have to do some careful reading about that method. Thank you for the idea though!

      Maybe? I'd have to do some careful reading about that method. Thank you for the idea though!

      1 vote