I am writing a flutter application where the user can essentially create notes. I have written code to create a private key for the user, which is later used to encrypt their data. The encrypted data is stored in Firebase Firestore. When their data is retrieved it is decrypted using their key.
I've looked at using Flutter Secure Storage, which works great, except that the secret key is only available on that device. If the user logs in on a new device, they will not be able to decrypt their notes.
My question is:
How/where can I store the user's secret key for decrypting their data so that only they have access to it, regardless of what device they log in with? What is best practice around this kind of solution?
final AesGcm algorithm = AesGcm.with256bits();
final SecretKey secretKey = await algorithm.newSecretKey();
// TODO: Write secretKey to storage that only the user can access with their account.
As explained by David in the Virgil Security talk at GDG, this problem is overcome by utilizing the user's password to derive a key (which David refers to as a brain key) which is then used to encrypt the user's private key. So, when a user signs up, a private key is created for them, which is then encrypted using the brain key. This encrypted password key is stored in the cloud.
Thus, when the user logs in from a new device, they type in their password and get the brain key from the password which is then used to decrypt their private key and is consequently saved to the user's device. Now, you might be wondering what happens if the user changes their password. In order to change one's password, the old password is required which is then used to create a new brain key and store the private key in an encrypted format.