#community-help

Encrypting Data from Typesense Cloud

TLDR Loic wanted to add additional encryption for data retrieved from Typesense Cloud. Jason suggested that any additional encryption must be handled by user's backend.

Powered by Struct AI
May 27, 2022 (19 months ago)
Loic
Photo of md5-3a88a602e4aba6a18b4a6c6985fcf08c
Loic
05:25 PM
Hi, is there a way to encrypt the data returned from the endpoint?
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
05:25 PM
(Based on our previous conversations) Since you're using Typesense Cloud, the data is already encrypted at rest (full disk encryption) and also in transit using HTTPS.
Loic
Photo of md5-3a88a602e4aba6a18b4a6c6985fcf08c
Loic
05:30 PM
Hi Jason 👋
When I do an export request for example (called from flutter dart for phone app), there is no way that the user could read the data in clear when received and parsed as Json objects? :thinking_face:
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
05:33 PM
The data only gets decrypted on the end user's device. The data has to be decrypted at some for the user to see the data right?
Loic
Photo of md5-3a88a602e4aba6a18b4a6c6985fcf08c
Loic
05:34 PM
Yes the data is received on the device and parsed as Json objects to be displayed.
I am wondering if there is a way for an advanced user to hack the flow and read the whole data in clear
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
05:35 PM
The encryption I was referring to was when the data is stored on Typesense Cloud and when the data is in transit to the user's device. A sophisticated user can indeed intercept https connections, install their own root cert and get the data from the export API response.
05:36
Jason
05:36 PM
May I know what type of data you want to secure and not let users access?
Loic
Photo of md5-3a88a602e4aba6a18b4a6c6985fcf08c
Loic
05:40 PM
It is a data set used as a product catalog that would be interesting for competitors to get.
I actually download this whole product catalog to the user device in order to refine and compute the search on the device and not on the typesense server
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
05:41 PM
I see, once you've downloaded it to a user's device, it's pretty hard to secure it at that point, because you have to decrypt it to show legit users the information
Loic
Photo of md5-3a88a602e4aba6a18b4a6c6985fcf08c
Loic
05:44 PM
It is harder to access in app data than man in the middle then network with a root cert in my opinion.. that’s why I was thinking about encrypting the data set and decrypt on the device when received.
Or it would be great to actually have a way to encrypt data at the endpoint somehow
Jason
Photo of md5-8813087cccc512313602b6d9f9ece19f
Jason
06:46 PM
Typesense doesn't do any encryption on top of https
06:46
Jason
06:46 PM
So you would have to make a call to your backend, have your backend make a call to Typesense and then do any additional encryption you need on your backend, before sending it to the device

Typesense

Lightning-fast, open source search engine for everyone | Knowledge Base powered by Struct.AI

Indexed 3015 threads (79% resolved)

Join Our Community

Similar Threads

Protecting Typesense Queries from DOS Attacks

Juri sought advice on securing typesense queries. Jason suggested use of Cloudflare for DOS attack protection and explained how to create user-specific API keys for data authorization. Ricardo endorsed Cloudflare for protection.

16

27
33mo

Understanding and Implementing Typesense Dart Library with Flutter

Alexandro sought help with the Typesense Dart library. Jason explained that the library is in progress, discussed utilizing other HTTP libraries, and provided detailed instructions on utilizing Typesense with Flutter. Alexandro provided feedback on the Typesense UI and expressed interest in creating a tutorial video.

10

82
32mo

Troubleshooting Typesense Document Import Error

Christopher had trouble importing 2.1M documents into Typesense due to memory errors. Jason clarified the system requirements, explaining the correlation between RAM and dataset size, and ways to tackle the issue. They both also discussed database-like query options.

3

30
11mo

Discussing Typesense Cloud's SSDs, NVMe, and Resources Needed

A asked about Typesense's storage type and configuration possibilities. Jason shared that they use SSDs and suggested NVMe SSDs for high-availability instances. They discussed server resources needed for specific user cases and briefly touched on DDoS protection via Cloudflare.

4

33
31mo

Using Typesense Frontend and Protecting API Key

KARTHICK asked about using Typesense from frontend, Jason suggested both frontend and backend are possible but encourages frontend for performance. Marcos mentioned key exposure concerns, Kishore Nallan explained scoped API keys can provide protection.

2

17
8mo