I’m building an open-source notes app using electron.
I’ll be using rxdb which uses crypto-js to encrypt fields using AES-256 after getting a passphrase and using pbkdf2 to generate a key. Rxdb is a document store in the browser.
I saw a couple of issues, mainly around the passphrase being compromised and all the data being compromised.
I’m going to introduce the ability to provide another encryption round using a note level password like a lock note function but that field is already locked anyway because they all are under the master password but it gives the opportunity to specify a different one for special use cases.
Over and above that I’ve created a library that allows a pepper to be generated and saved in the OS key store which can be combined with the master passphrase, the hope being that even keylogging a passphrase would still mean the database is not compromised if lifted unless they Keystore is also compromised.
The question is can I do anything else to harden this? I’ll probably integrate with Yubikey at some point but I’d like it to work independently first.
Mainly I’m a bit lost around how I can improve the validation and given the data is not moving around do I need to worry about this.