Storing semi-confidential data

1 points by RossM ↗ HN
I'm developing a diary/journal web-app - there are many things that make this better over using a diary but the obvious disadvantage is that you can hide your diary under the bed and be pretty sure noone is reading it. While I can say in a privacy policy I'm not going to read any entries you make that's still up to the user to trust me on that. So what I'm looking for is a method to encrypt (and decrypt) the text entries made by the user.

I'm really not very knowledgeable on encryption so I'm looking for some advice on how to do this. My main idea at the moment is to have a key that is never stored and is entered each time they login and used throughout the session to encrypt and decrypt each text entry. Again the user can't necessarily know the key is not being stored but as far as the implementation goes this seems ok. This also has the added benefit of users being able to store entries under different keys so that there isn't a single key to unlock them all.

Is there a better/more common way of doing this?

1 comment

[ 3.4 ms ] story [ 14.4 ms ] thread
User can only login using a salt that he throws at the system. U: ambiate P: pass S: BlueSky --> Server md5(BlueSkypass) and check it, never storing it. Save two passwords, one for general logins (using your own salt) and one resalted password with the user's own passphrase for the hidden data. Maybe just implement an OpenID or Facebook login or something of that nature? This might be misinformation... I haven't looked at encryption in forever!