Storing sensitive data in Local Storage with encryption?
I have a notes app that's offline-first and syncs with remote database when online.
Currently, when a user creates a note, I'm encrypting it with AES. I ask the user to enter their decryption password on every page refresh and when they enter the password, I decrypt their data from localStorage and present it. I enforce a password requirement so the passwords are going to be good if not the best.
Many people online say that this is not secure but I cannot think of any alternatives. My webapp is offline first, so it has to work with a local database somehow. I do not care if users modify the data on their end by decrypting localStorage with their decryption password because the users are responsible for creating the data in the first place and because I do not allow editing when offline, only viewing the data.
So, I'd like to ask, is it okay to store user's sensitive data in localStorage with AES encryption that they have to enter their password for before viewing their data?
