Client side encryption & decryption

meelvoorfer · August 8, 2021, 12:59pm

Hi,

What are the possibilities of doing client side encryption and decryption in Anvil? So I want to be able to decrypt and encrypt strings locally/ ‘in the browser’ with a key which is entered and/or stored locally. I saw an example of doing AES encryption/decryption in python: (https://www.quickprogrammingtips.com/python/aes-256-encryption-and-decryption-in-python.html but I’m missing the necessary libraries in client side python (hash lib and pycrypto).

An example of doing this in javascript is here: https://asecuritysite.com/encryption/js02

But basically I do not really want to ‘roll my own crypto’ so if this could be added to Anvil this would be great!

divyeshlakhotia · August 9, 2021, 2:38am

A client side decryption seems to have no use at all. Why even encrypt things when the decryption is available to your attacker anyway? If you still want to do it, you can either use Base64 encoding which is available in Client side or make your own encrypt and decrypt easily

def encrypt(text):
   text=text.replace('a','foo')
   text=text.replace('b','bar')

p.colbert · August 9, 2021, 2:01pm

It depends on the use-case, e.g., where the information is coming from, and where it is going.

That’s very sensible, especially if you have to match an existing crypto standard.

meelvoorfer · August 9, 2021, 2:50pm

Hi divyeshlakhotia, thanks for replying.

Let me explain the use case, the ‘attacker’ is actually the customer/user who wants to protect the Personally Identifiable Information (PII) when uploading data to a cloud/saas service like what can be build with Anvil.

So what I would like to be able to do is let the customer upload data , for instance a spreadsheet or csv file but she has encrypted the columns which contain PII, like person name, email, address, customer name , maybe also product descriptions with a key only known to her. So when she has uploaded the data I’m storing all of it in an (encrypted) database with a key which I’m generating and storing in app secrets, ill discard the excel. When she wants to view and maintain the data in my great looking table view , she sees the PII as she has uploaded it (encrypted) and she can decrypt it by clicking on the column and entering her key. I’m not storing her key or the decrypted data, I’m only usingthe key to decrypt the viewable data in the browser.

Ofcourse there are some limitations with the encrypted PII, for example you cannot search/filter server side on it but the advantages are that it may address GDPR or HIPAA requirements (haven’t checked that in detail) and it will also give me and the customer some peace of mind that even if some servers get hacked the data is protected first by a key kept by the cloud service (anvil secret) and second the PII is double protected by her key.

Does that make sense?

divyeshlakhotia · August 9, 2021, 4:03pm

Yes of course it does. I hope the Anvil staff will consider it.

ben.lawrence · May 16, 2022, 5:38pm

Don’t you need a AES key to encrypt/decrypt?