Encryption key management is critical when building secure apps, as encryption is only as good as the management of the encryption key.
Managing encryption keys client-side is an incredibly complicated and risky task, as apps will need to persist and use an encryption key client-side to enable secure offline apps.
Historically, secure client-side key management was impossible. However, thanks to advances in mobile device hardware and APIs, there is a way to securely manage sensitive values such as encryption keys on the client, and the companion Ionic Identity Vault product was built to correctly and securely implement those capabilities.
Ionic Identity Vault is a powerful solution that provides a cross-platform layer on top of modern mobile security hardware and biometric authentication. Sensitive values, such as encryption keys or auth tokens, can be stored securely on-device or at rest in specialty hardware developed by Apple and vendors in the Android ecosystem.
When used in tandem with Ionic Identity Vault, developers can safely store and management their encryption key on device, and enable biometric authentication to secure sensitive data against theft, loss, or jailbreaking.
In practice, once the app user authenticates, the app obtains an encryption key following one of several strategies. One strategy is to auto-generate a unique encryption key on demand, tied to the authenticated user. Another is to retrieve it from a server backend through an API call. Next, store the encryption key securely using Identity Vault. Finally, configure Secure Storage with the encryption key to encrypt all data.
To get started, follow the Identity Vault installation instructions.
There are several approaches to obtain an encryption key. It's recommended to use a Service that encapsulates all key retrieval logic.
Auto-generate a unique encryption key on demand, tied to the authenticated user. Note that the key is not retrievable.
Retrieve the key from a server backend using an API call and your tooling of choice. The key may be retrievable depending on the backend configuration.
Secure the encryption key on-device using Ionic Identity Vault. It's recommended to create a Service that encapsulates all key storage logic.
Begin by injecting the
KeyService created above and creating a
key that represents the encryption key to be stored in IV.
Next, create a generic function that stores values in Identity Vault.
Next, create a function to retrieve the encryption key from on-device storage. If the key was previously stored in Identity Vault, return it. Otherwise,
KeyService to obtain an encryption key, then save it into Identity Vault using the
Configure Secure Storage with the newly generated encryption key. It's recommended to create a Service that encapsulates all storage logic.
Begin by injecting the
IdentityService created above then call an initialization function in the constructor. Within the init function,
obtain the encryption key from the
IdentityService, then set it to the
key property in a call to
Now that Secure Storage has been configured with an encryption key, all data will be encrypted at-rest.