Redux-persist: Adding ability to encrypt storage data

Created on 9 Feb 2017  路  11Comments  路  Source: rt2zz/redux-persist

Do you have near term plans to incorporate encryption onto the storage data?
https://github.com/jas-/crypt.io

In this case, we could pass an additional attribute in the persistConfig to persist the data with encryption (The flag could either be the machine's UUID or a user set passphrase)

var pass = window.prompt("Please enter password...", "a custom password");

var persistConfig = {
  passphrase: pass
};

persistStore(store, config, callback);
picture kappa-gooner
👍4

Most helpful comment

I've implemented the idea @rt2zz earlier and it's working quite well (it passes security audits). For iOS we use a passphrase stored in the KeyChain on Android on KeyStore. With that passphrase we encrypt/decrypt data via redux-persist.

Two things to keep in mind

  • crypto-js is slow, especially with huge data sets stored on device, a off js thread will be cool to have
  • lock/reboot iOS locks the keychain, you need to adjust settings to make the keychain available on any time (otherwise your app won't be able to decrypt the data on the background (e.g. via a geofence event or background-fetch execution time process)

Planning to make this mechanism open-source, as it's battle tested for some months now in different production apps.

picture robmoorman on 10 Feb 2017
👍7

All 11 comments

I think this can be achieved today using https://github.com/maxdeviant/redux-persist-transform-encrypt, although that uses crypto-js not crypt.io.

Looking at crypt.io it I think could work with some adaptation, but the one method it is missing is getAllKeys. This could theoretically be achieved by saving a separate known key which stores all other keys, but that would require some adaptation in redux-persist core. Open to PRs!

rt2zz picture rt2zz on 9 Feb 2017
👍1

I've implemented the idea @rt2zz earlier and it's working quite well (it passes security audits). For iOS we use a passphrase stored in the KeyChain on Android on KeyStore. With that passphrase we encrypt/decrypt data via redux-persist.

Two things to keep in mind

  • crypto-js is slow, especially with huge data sets stored on device, a off js thread will be cool to have
  • lock/reboot iOS locks the keychain, you need to adjust settings to make the keychain available on any time (otherwise your app won't be able to decrypt the data on the background (e.g. via a geofence event or background-fetch execution time process)

Planning to make this mechanism open-source, as it's battle tested for some months now in different production apps.

robmoorman picture robmoorman on 10 Feb 2017
👍7

@robmoorman wow very interested in your implementation. is it materially different from https://github.com/maxdeviant/redux-persist-transform-encrypt ?

As for lock/reboot locking the keychain is there a workaround? do you keep the data you need in the background in a non-encrypted store?

rt2zz picture rt2zz on 10 Feb 2017

Hi @rt2zz it's an addition to https://github.com/maxdeviant/redux-persist-transform-encrypt as the secretKey comes from the KeyChain/KeyStore (auto-generated by the device), so it's not stored in the JS bundle on device.

There is a setting for iOS, yes. To adjust that the keychain can be accessed in this case.
I used this, but you can see what the settings is like: https://github.com/oblador/react-native-keychain/blob/master/RNKeychainManager/RNKeychainManager.m#L85

More info here: https://developer.apple.com/reference/security/ksecattraccessiblealways

I'll inform you when this package is ready (need it for a project right now, so planning to make it open-source).

robmoorman picture robmoorman on 10 Feb 2017
👍6

@robmoorman any progress on your project?

enahum picture enahum on 30 Aug 2017

@robmoorman i am also interested in your approach. Any possibilies you can share some more information? 馃憤

patrickkempff picture patrickkempff on 5 Oct 2017

He @patrickkempff haven't got the time (yet) to work on this. You can watch my eact-native-redux-secure-storage repo, I'll place it over there.

robmoorman picture robmoorman on 5 Oct 2017
👍1

I missed it the first time I read the readme, but if you're on react native redux-persist-sensitive-storage also looks like a good candidate.

phillbaker picture phillbaker on 20 Oct 2017

@robmoorman Have you had a chance to open source your react-native-redux-secure-storage?

taranda picture taranda on 18 Jun 2018

Here is a very simple implementation using react-native-keychain:
https://gist.github.com/patrickkempff/86f44f017568a973f5c041b205e4365c

patrickkempff picture patrickkempff on 18 Jun 2018
👍3

I need to encrypt all my reducers using redux-persist (in that I am using persist-store) in which all my data is stored in browser local-storage. When I see my browser local-storage, I should able to see my data encrypted, once it gets passed from persist-store and stored into local-storage.

Can you please help me with some examples.

vidhyeshpatil picture vidhyeshpatil on 27 Jul 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Clumsy-Coder picture Clumsy-Coder  路  3Comments
ssorallen picture ssorallen  路  4Comments
ucarion picture ucarion  路  4Comments
openscript picture openscript  路  4Comments
scic picture scic  路  3Comments