From d5b04b1b9688e0bfbf2e93d896f70545ac507388 Mon Sep 17 00:00:00 2001 From: Rajdeep Sengupta Date: Mon, 13 May 2024 16:44:19 +0530 Subject: [PATCH] Create user-data-protection.md --- docs/backend/user-data-protection.md | 48 ++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 docs/backend/user-data-protection.md diff --git a/docs/backend/user-data-protection.md b/docs/backend/user-data-protection.md new file mode 100644 index 0000000..5fbb211 --- /dev/null +++ b/docs/backend/user-data-protection.md @@ -0,0 +1,48 @@ + +# User Data Protection + +Data protection is one of the main things for a auth server and we have taken that seriously. Here is a breif how the data gets encrypted and stored in the database. + + + +## Method + +The method we are using for encryption is **Envelope Encryption** + +### Terminology ( to keep in mind ) +- `DEK`: Data Encryption Key +- `KEK` : Key Encryption Key + + +## Diagram + +![data-protection-inhouse-auth](https://github.com/Rajdip019/in-house-auth/assets/91758830/163fdd5a-1757-481c-ba18-3a4bfacb72d2) + + +## Explaination + +Here is a strp by step guide on how it works. + +### Step 1: +Every user is assigned a new and unique `DEK` when they sign up. + +### Step 2: +We encrypt all the user data from `Session Details`, `Password Reset Request` and all with the user `DEK` using the `AESGcm256` algorithm and store it to DB. + +### Step 3: +The auth server has his own `KEK`. This is unique for the server. You can generate it by running the command below from the root of your project. ( Make sure you have cargo installed ) - [How to install cargo](https://doc.rust-lang.org/cargo/getting-started/installation.html) +``` +cargo run --bin create_kek +``` + +### Step 4: +We use the `KEK` to encrypt the `DEK` using the same `AESGcm256` algorithm and store it to DB. + +### Step 5: ( Additional ) +For additional safety you can use `GCP KMS`, `AWS KMS` or any other cloud provider for additional safety. + + + +## Feedback + +If you have any feedback, please raise a issue or start a discussion. Thank you.