Field-level E2E encryption best practices

I’d like to encrypt specific fields using a key known only to the user, to protect data from administrators and also from stuff like breaches. The encryption and decryption should only happen client-side, before data is sent over the network.

Are there best practices for doing this with Parse? (I’m using the JS SDK)

If encryption and decryption is client-side, Parse has nothing to do with it …? What’s stopping you from just storing the encrypted data ?

If you just do an online search for “ e2e encryption parse server” there are some tutorials and examples for e2e encryption.

It may not necessarily be exactly what your are asking for (key only known client side) if it is using a 3rd party key provider. However, you may want to reconsider that concept because legislation is going towards requiring the service provider to be able to decrypt if required by law enforcement and more service provider accountability. It’s unlikely that we’ll see (m)any true e2e encryption consumer products anymore in the coming 5-10 years, which seems what you are asking for. That’s just my personal prediction of course.

Not everybody is a “service provider”. The server could be an in-house (or local) server, I don’t see what could be the legal case to have a mandatory server-side decoding. Are you saying that apps such as Signal will soon be illegal ?

This was a side note about where legislation is currently heading for consumer products. The E.U. is preparing legislation specifically for that, the U.S. is leaning into that direction and China already has legislation for that. To answer your question, yes, e2e encryption without a backdoor for the service provider and subsequently law enforcement is already illegal in some jurisdictions.

Obviously this is not a legal forum, and how this applies to your product is something you’d have to evaluate for yourself, but generally it may be interesting context for some readers.

Disclaimer: this is not a legal advice or official statement by Parse Platform but personal opinion.

1 Like

Thanks, I’ll dig through those examples and see if there’s anything I can use. I was hoping there were some libraries that implemented this functionality / wrapped ParseObjects for ease of use.

The legality aspect is interesting and something I hadn’t considered. I don’t have consumer plans for this app, but it’s something to think about in the future.

Unfortunately that is not a current feature of Parse Server. It would definitely be an interesting feature though. Unfortunately this project is currently lacking a process to prioritize the addition of suggested features and purposefully allocate the required budged. It’s a fundamental homework that we need to get done urgently, I will bring this up with other core team members.