There is an encryption / decryption task that needs to be run while creating or retrieving data in the application. The task is executed by the main thread and the service worker thread. The task would need access to an encryption key . The encryption key would be a long lived key that would need to exist till the user explicitly logs out.
The encryption key needs to be stored in a place that is accessible by both threads . The key should not be stored in IndexedDB. Session storage is not an option since it is newly created for every tab that the user opens. Local storage seems like a feasible option at the moment. The key should not be stored in a place where it’s easily accessible by a threat.
If you need to be able to access the key in offline mode, I suspect your only “secure” option would be to use a reversible hash locked by the user’s password.
For now, this key would be a reversible hash that is locked by the user password as suggested by @burke. That’s the idea. However, what we wanted to know is where we can store this hashed string.
It sounds like you know what your options are—IndexDB, session storage, local storage, or a cookie. Local storage is specific to the origin—local storage for one origin cannot be accessed from another. Cookies follow the same rules but also have mechanisms for explicitly allowing or disallowing domains or paths to access the cookie.
There’s nothing specific to O3 that will help you here.
The key should not be stored in a place where it’s easily accessible by a threat.
You may want to develop a clearer idea of your threat model. It’s hard to develop a good security strategy if you’re not sure what you’re defending against.