Question: how do you store data encryption key for each user?
because:
- you get the password form the user
- compute the PBKDF2 with iteration and a salt, store iteration$salt$hash (where hash is the result of the PBKDF2 on the password).
- when user logs in check that the hash matches the PBKDF2 on password with iteration and salt.
But now, i've a the data enccryption key (DEK) and i've to store it somewhere.
I can't use the password directly to encrypt the DEK since the lenght must be 32 (or 16, or 24). I
should use PBKDF2 to derive a 32 byte hash, but this value is already stored in the password_hashed field. Should I compute anoterh PBKDF2 with a different salt and a different iterations for the encryption of DEK? if so i'll store in the db just$iterations and encryption and apply those to the password (after the user logs in) to derive an encryption key for the DEK?
because:
- you get the password form the user
- compute the PBKDF2 with iteration and a salt, store iteration$salt$hash (where hash is the result of the PBKDF2 on the password).
- when user logs in check that the hash matches the PBKDF2 on password with iteration and salt.
But now, i've a the data enccryption key (DEK) and i've to store it somewhere. I can't use the password directly to encrypt the DEK since the lenght must be 32 (or 16, or 24). I should use PBKDF2 to derive a 32 byte hash, but this value is already stored in the password_hashed field. Should I compute anoterh PBKDF2 with a different salt and a different iterations for the encryption of DEK? if so i'll store in the db just$iterations and encryption and apply those to the password (after the user logs in) to derive an encryption key for the DEK?
What's a good approach?