Encrypting sensitive user data in Firebase Realtime Database

[Andy Geers]

My app stores highly sensitive user data that I don't want to be able to read, so I wrote a blog post about the solution I'm taking to encrypt that data client-side and handle the encryption keys. I'm sharing it here in case it's of use to others (it also includes a link to a GitHub repo of the very simple backend auth service I used, leveraging Google Cloud Key Management Service): http://www.geero.net/2017/05/how-to-encrypt-a-google-firebase-realtime-database/

[Ian Barber]

Very cool Andy, I've seen a few people ask about this topic, so I think this will be a very helpful post!

On Mon, Jul 3, 2017 at 4:06 AM, 'Andy Geers' via Firebase Google Group <fireba...@googlegroups.com> wrote:

My app stores highly sensitive user data that I don't want to be able to read, so I wrote a blog post about the solution I'm taking to encrypt that data client-side and handle the encryption keys. I'm sharing it here in case it's of use to others (it also includes a link to a GitHub repo of the very simple backend auth service I used, leveraging Google Cloud Key Management Service): http://www.geero.net/2017/05/how-to-encrypt-a-google-firebase-realtime-database/

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/61f86e89-99d7-472b-abff-291e0bf0c2c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Zarko Milosevic]

I have the same problem you described in your post. I have read your article but what i do not understand how you restrained owner of the application not to be able to use user data ?

If application can access decryption key from KMS than those data can be exposed to the owner of the app. Is that right or i`m missing something here ?

[Andy Geers]

The user who has permissions to decrypt keys does not have permissions to access the Firebase Realtime Database, and vice versa - so there is a separation of responsibilities.

It's not quite the same end-to-end encryption as something like WhatsApp - obviously I could maliciously modify my client app to transmit the data and the decryption key to some server. But so could WhatsApp!

[Zarko Milosevic]

As firebase admin you can, via firebase console for example, access all user data on one side and by accessing the key on kms on other side you can decrypt it. I`m asking all this questions because i`m also trying to find solution for the same problem so just wan`t to clarify.

[Andy Geers]

No, the Firebase admin doesn't have KMS access - that's a different user who has that. The auth service will only permit the specific Firebase user who owns the key to decrypt it.

[Zarko Milosevic]

Sorry for not being clear. Yes i realise that firebase admin doesn have access to the KMS KEK. KMS is related via other, service account, to you app. But both account are yours.

You can access firebase data via admin firebase account and key encryption key via other account. Right ?

[Andy Geers]

You're right - today, both accounts are mine. But at least a hacker needs to compromise TWO Google accounts not just one. But the destination is that eventually the KMS user is not mine at all but belongs to another staff member who won't have Firebase admin privileges, so there is true separation of responsibility.