Encrypt User specific Information without a password
Given scenario:
I have an application (NodeJS) running on Heroku, the database is RDS on Amazon and I use Auth0 for authentication. I don't have access to passwords of the users, some users use social media logins.
The problem:
The application has to store API keys from third-party platforms provided by the user and of course I want to prevent at all costs that anyone will ever have access to these data (with the keys, transactions ($) could be executed directly on other platforms!).
How do I encrypt the data when I don't have access to the user's password at any time?
The cases to secure I can think of:
- Someone has access to my Heroku Account
- Someone has access to my Auth0 Admin Account
- Someone steals my database (e.g. by having access to the Heroku environment variable)
Can I securely save and access (while the user is logged in) the users API keys with my database?
It is okay for me, or even good, if I don't have access to the encrypted keys anytime. But I need them stored on my side in a persistent way. Its okay for me if the access is only possible when the user has an active session (by that I am giving up the possibility to perform any background tasks, but I do want to put security first and accept the negative impact on UX). I don't want to add another password for the API keys per user.
The solution can be on my end or using Auth0 or something like AWS Key Management Service, I have already done research but to me, it is still too blurry to say anything specific.
