User encryption key for E2EE

marek-hradil · June 16, 2021, 3:26pm

We run a web app with a sort of end-to-end cryptography system, where everything is encrypted with keys derived from the user password.

Recently a request for SSO implementation came. From this it seems that implementing SSO and also E2EE, without the need for a desktop or mobile app is possible, but that is the only mention I found.

Is there a way of getting some secret from Auth0 that is unique for each user, is secure to use for encryption of user data and does not change between sessions? Or is this just generally not a good idea at all?

dan.woda · June 23, 2021, 9:33pm

Hi @marek-hradil,

Welcome to the Community!

You can store user-specific data in the user’s app_metadata. The persistent data can then be added to the token and sent to your application after the user authenticates.

App_metadata is not typically used for secret/credential storage, but instead is used for storing access information like a user’s subscription level, external IDs, or permissions. That doesn’t necessarily mean its a good or bad idea, but I would proceed with caution, as it is not the intended purpose of the feature.

Topic		Replies	Views
Can I store secret encryption keys in app_metadata? Get Help user-profile , user-management	3	1380	January 26, 2023
Storing encryption secrets for each user Get Help	11	6053	January 9, 2020
App level encription with auth0? Get Help	2	3428	December 18, 2018
How to save unique key/data against user? Get Help auth0 , custom-database , user-metadata	4	4068	July 26, 2019
Storing secret in user_metadata Get Help auth0	3	3437	January 19, 2021

User encryption key for E2EE

Related topics