30
edits
CloudServices/Sync/ExtensionStorage Design Doc: Difference between revisions
CloudServices/Sync/ExtensionStorage Design Doc (view source)
Revision as of 20:00, 3 October 2016
, 3 October 2016Add another note about when encryption happens
(update this document to match new version of patch) |
(Add another note about when encryption happens) |
||
| Line 9: | Line 9: | ||
=== Crypto === | === Crypto === | ||
When a user does a sync, we want the user's data to be stored securely, so we encrypt it. This encryption happens using the Kinto "remote transformer" feature. This means that encryption happens on the client side before sending the data, or just after receiving the data. | When a user does a sync, we want the user's data to be stored securely, so we encrypt it. This encryption happens using the Kinto "remote transformer" feature. This means that encryption happens on the client side before sending the data, or just after receiving the data. This also means that all data is stored unencrypted locally. | ||
Each collection (thus, extension) gets its own key. These keys are stored in a separate "keyring", which is itself stored as a record in a special "crypto" collection. This record is encrypted using a key that is derived from a user's kB. This two-tier crypto system was inherited from Firefox Sync and it helps us to minimize data that we reupload when a user's kB changes. | Each collection (thus, extension) gets its own key. These keys are stored in a separate "keyring", which is itself stored as a record in a special "crypto" collection. This record is encrypted using a key that is derived from a user's kB. This two-tier crypto system was inherited from Firefox Sync and it helps us to minimize data that we reupload when a user's kB changes. | ||