< Encrypt37: How encryption works here?
I use the famous openpgpjs library (used by Proton) to do the end-to-end encryption. See what is PGP here.
When you signup:
- Your device generates a public & private key pair.
- Then your device encrypts the private key with your password;
- Then your device sends your username, public key, encrypted private key to server;
Your password never leaves your device!!!
Most websites send your password in plain text to their server, like Google, Facebook, X etc.
When you sign in:
- Your device makes a request with your username to get your public key, encrypted private key, and a challenge encrypted with your public key;
- Your device decrypts the encrypted private key with your password;
- Then it uses the decrypted private key to decrypt the challenge, and send the decrypted challenge to server;
- Server checks if the challenge is solved, if yes, it will return an access token and a refresh token back to your device, and you are logged in.
So again, your password never leaves your device!!!
When you send some texts or files:
- Your device generates a strong password;
- Then your device encrypts the texts or files with this password;
- Then your device encrypts this password with your public key;
- Then your device sends the encrypted texts or files and the encrypted password to server;
When you fetch some texts or files:
- Your device gets the encrypted texts or files and the encrypted password from server;
- Your device decrypts the encrypted password with your private key;
- Then your device decrypts the encrypted texts or files with the decrypted password;