How to allow users to securely use their private key to decrypt data in the browser [duplicate]
I'm working on an application where encrypted data can be stored on the server. Users can do this by obtaining public keys from the server, and use them to encrypt data locally before sending it to the server. This encryption feature provides an additional layer of security such that not even admins can read the data that is stored on the server.
In our normal workflow, a Python client is used to download the encrypted data and decrypt it locally using the private key.
Now, we are creating a web application, and we would like to offer our users the option to decrypt the data in the browser. My naive way of achieving that would be to upload the private key to e.g. session storage. This feels very wrong, but I find it hard to pinpoint the exact issues with this, or to think of a better solution.
Which risks would there be for the key to get stolen? (There's XSS scripting that I know of - we do have CSP policies to reduce that risk.) And would there be a better way to achieve this?
