I'm working on a website in Node, specifically Next. I've set up an endpoint for people to send their email addresses, which will be stored, encrypted, locally.
Right now the addresses are stored in a .txt file encrypted using the built-in Node crypto library, decrypted in memory when a new one is added, and written over the locked file once the operation is complete.
My question is three-fold.
- Various sources I've seen around the internet suggest that using Node's crypto module for small files, such as a .txt containing a few hundred email addresses, is laughably easy to crack. Is this true, and if so what alternatives are there? Installing MongoDB (or what have you) is perfectly fine, but it is just a single CSV.
- I've been rather paranoid about security while making this project, but I'm coming to believe that this is unnecessary, as in real-world conditions, with a live site, most of the security will be built-in. What kind of precautions are sensible when your project is a website deployed via Vercel/Google Cloud? Encrypted keys seem sensible, but what about encrypting important data like the email addresses?
- The email addresses are encrypted using a master password which is then stored, also encrypted, in a process environment variable. It has to be decrypted (or manually set to a temporary process env) for each action involving the email list. How secure is this? Are there alternatives? Storing the password, even encrypted, feels wrong.
Aucun commentaire:
Enregistrer un commentaire