Hi All,
I’m currently in need of the following:
- I want to use Keycloak for user authentication
- I want to use the user’s password to derive an encryption key, preferably using PBKDF2.
- This key will be used to encrypt/decrypt yet another encryption key, which will be used to encrypt/decrypt data of that user
So, if the user authenticates outside of my own application (keycloak validates the username and password, but the encrypted encryption key, encrypted based on that password, would need to be stored inside my application and outside of Keycloak), how would I go about implementing this?
So basically I want to implement a DEK (data encryption key) and a KEK (key encryption key), where the DEK is encrypted with the KEK.
This KEK would be derived using PBKDF2 but would need to be based on the user’s password to “unlock the key” on authentication.
However, authentication is in Keycloak, the DEK and KEK are to be used in the external application secured with Keycloak.
What would be a good strategy to tackle something like this?
Thanks for any advice and insights you can share!