I am building a Web Application where the user's data is end-to-end-encrypted.
The web client obviously needs a secret that nobody else knows for end-to-end-encryption to work.
I have planned to have the user choose a password and then derive an encryption key from it.
Currently, the user has to enter his password again, once he reloads my single-page-app, as the secret is not stored on disk, because storing it in localstorage is probably bad from a security standpoint.
In a native app I'd use something like the keychain to securely store such secrets. What would I use on the web?
I know the Credential Management API exists, this doesn't work for me because Safari on iOS doesn't support it.
What are the best practices to store user secrets on device from a Web Application? (Preferably without user interaction when retrieving the stored password)
Possible Solution: