Hash password 'hunter2' with sal, alg, iterations from server > 'some111hash121==' Use defaults from libsodium.
Keep encrypted private key that could be decrypted with secret key (technically its base64 and not pem) '-----BEGIN ENCRYPTED PRIVATE KEY...'
GET user-public-auth
200 - Salt, alg, iterations
Retrieve public user info
POST login
200 - Encrypted private key and auth token
Use standard Django authentication where client-hashed password is the password
Retrieve encrypted private key
Create Secret /api/secrets
Secret Name
Spoiler
Create Secret
Soylent Green is people
Create new secret key using libsodium secret key (default alg)
Encrypt secret key with personal public key (ciphertext of key)
Encrypt secret with secret key (ciphertext of secret)
POST all ciphertext
201 - Great Success!
Store secret name
Store secret key ciphertext
Store secret ciphertext
Retrieve Secret /api/secrets/<secret_id>/
Secret Name
Spoiler
Create Secret
Soylent Green is people
Decrypt personal private key with master password
public key pair decrypt of secret key ciphertext
secret key decrypt of secret 'Soylent Green is people'
GET
200 - secret with ciphertext
Retrieve secret name
Retrieve secret key ciphertext
Retrieve secret ciphertext
Sharing Secrets
First, we create a group with its own public key pair. Then, we add a user to the group. Finally, we add the secret to the group.
Personal Private Key
Private key decrypts Group membership Secret key, which decrypts Group membership Private Key
Group Membership
Encrypted Secret Key
Encrypted Private Key
Group
Public Key
Conceptually a group has one private key - but it is not stored on the server unencrypted. The private key ciphertext must be copied in for each Group membership.
Group private key decrypts Secret key which decrypts secret ciphertext
Secret Ciphertext (One for each group the secret belongs to)