Add option to password-protect the encryption key

[lomigmegard]

An interesting optional feature would be to protect the encryption key using a password. The recipient would have to enter the password on the web page, the decryption still fully client-side.

It could be done using derivation directly, stretching the password to derive the encryption key. But that would undermine the encryption security, making the cyphertext as weak/strong as the password. Another approach is to derive a KEK from the password, wrapping the fully random encryption key. This way the cyphertext is not impacted, and the security level of the password is kept client-side.

[j-l-m]

Would it be a problem to use a hash of the password as the KEK?

[lomigmegard]

@j-l-m In the case of passwords, not all hash functions are good candidates, and a password-based KDF is advised.

• Possible functions are Argon2id, scrypt or PBKDF2 for more legacy environment.
• A salt must be used.
• The cost (iterations/memory if applicable) is to be tweaked depending on the wanted UX.