We want to have sensitive data encrypted and stored in a database. And when a user is viewing a form, if they are authorised to see this sensitive data, they will have an additional "password" that would decrypt the data for their session.
I was looking at public/private key encryption and using a human friendly password to generating the private key (sha hash etc) and the corresponding public key. The public key would be used to encrypt new sensitive data entered. And if users need to see the data they would enter the password ("private key") (in addition to having usual login account and permission settings). This also avoids having the private key/password stored on any server.
Just using any random strings as a private key does not work:
-----BEGIN PRIVATE KEY-----
sha_hash('myPassword'.$salt)
-----END PRIVATE KEY-----
So at the moment users would have to copy paste the private key text (made via openssl etc.) into a prompt to decrypt the info. This would most likely mean people storing this key in a file or their email.
Is something like this possible? Create my own private key string and then create a public key from that?
Is something like this possible? Create my own private key string and then create a public key from that?
Yes, it's possible in the abstract. No, it's not trivial with RSA, which requires prime numbers.
Example from Halite (which doesn't use RSA and is better off without RSA):
$salt = random_bytes(16); // Do this once, then make it a constant
$keyPair = KeyFactory::deriveEncryptionKeyPair(
"My password",
$salt,
false, // This isn't a legacy key
KeyFactory::SENSITIVE
);
$privateKey = $keyPair->getSecretKey();
$publicKey = $keyPair->getPublicKey();
var_dump(bin2hex($privateKey->getRawKeyMaterial()));
var_dump(bin2hex($publicKey->getRawKeyMaterial()));
Example output:
string(64) "030d6e4c462b2d15a48441cead4d1b9d0ae4a2ea6926a78e180a8b7d3ce6508f"
string(64) "189c86722bc81550186fd0eaba2a97d2e6c0a9c6f63a098cc1495309c7f9a71e"
These are ECDH keys over Curve25519, provided by libsodium.