Hash auth key with Argon2id, encrypt protected private keys with the result.
9876691 opened this issue · 0 comments
9876691 commented
See this article.
In the event of a server breach make brute force memory hard and make sure attacker has to do full brute force not just brute force of password + 1 decrypt.
We will need to store the seed for the argon so that we can reproduce the key.
Problem how do we get the master_key_hash for the decrypt page.
Store in encrypted cookie?