This guide shows how to encrypt (harden) user's password and authenticate users with Virgil PHE Service.
Learn more about how Password-Hardened Encryption works here.
Generate user's Pure Record
To create a Pure
record for a database:
- Take the user's password (or hash) and pass it into the
- Store this user's unique
recordin your database.
The enrollment snippet below also provides an example on how to protect user personal data with
encryptionKey and encrypt user password hashes with
using Virgil.PureKit; using Virgil.PureKit.Phe; using Virgil.PureKit.Utils; var password = "passw0rd"; // create a new encrypted Pure record using user password or its hash var enrollResult = await protocol.EnrollAccountAsync(password); // note that enrollResult.Record is a byte array. // save encrypted Pure record into your users DB // you can save encrypted Pure record enrollResult.Record to database as byte array or as base64 string // encode encrypted password record base64 string var recordBase64 = Bytes.ToString(enrollResult.Record, StringEncoding.BASE64); //use encryption key enrollResult.Key for protecting user data var phe = new PheCrypto(); var encrypted = phe.Encrypt(data, enrollResult.Key);
Note! If you have a database with user passwords, you don't have to wait until they log in. You can go through your database and enroll (create) a user's Pure Record at any time.
Verify user's password
After a user has their Pure Record, you can authenticate the user by verifying their password using the
using Virgil.PureKit; using Virgil.PureKit.Phe; // get user's encrypted Pure record from your users DB var passwordCandidate = "passw0rd"; // check candidate password with encrypted Pure record from your DB var verifyResult = await protocol.VerifyPasswordAsync(passwordCandidate, record); // (verifyResult.IsSuccess == false) if passwordCandidate is wrong. //use verifyResult.Key for decrypting user data var phe = new PheCrypto(); var decrypted = phe.Decrypt(encrypted, verifyResult.Key);
Change user's password
Use this flow when a user wants to change their password.
If you use PureKit not only for hardening passwords, but also for encrypting user's data, you'll have to re-encrypt user's data with the new key so that the user doesn't lose access to it. Navigate to this guide and follow the instructions there.
If you're using PureKit only for encrypting passwords, then you have to simply create a new Pure Record using the new password for the user, and replace the old Pure Record with the new one.
Start encrypting user's data with PureKit: