Password Encryption

PureKit provides a complete authentication system that replaces simple passwords (or password hashes) with encrypted passwords. This guide shows how to encrypt (harden) user's password and authenticate users with Virgil PHE Service.

Learn more about how Password-Hardened Encryption works here.

Before you begin

Register user at PureKit

To register a user, you have to take the user's password (or its hash) and pass it into the registerUser function. This function can be used both for new users or the users already registered in your system.

pure.registerUser(userId, password);

If you're using this function for an already existing user, you can delete their original password (or its hash) from your database after registering the user at PureKit.

If you have a storage with user passwords, you don't have to wait until they log in. You can go through your database and register users at PureKit at any time.

Authenticate user

After you've registered the yser, you can authenticate them with the authenticateUser function. Read more about PureKit authentication process in the PureKit whitepaper, in Login section.

AuthResult authResult = pure.authenticateUser(userId, password);

In case the user forgot their password, take a look at the User Password Management guide.

Manage user Grant

The authResult, obtained with the authenticateUser function, consists of the PureGrant and EncryptedGrant. You'll need the PureGrant for decrypting user's data, and EncryptedGrant to pass it to the user. Using the Grant, the user can access their data without authenticating for every decryption request until the Grant expires. Basically, the Grant is an equivalent for active user session.

To provide a user with access to their data you need to:

  1. Authenticate them at the backend with authenticateUser
  2. Retrieve EncryptedGrant from authResult
  3. Pass the EncryptedGrant to the user as an access token
  4. When the user sends a request to the server using their EncryptedGrant, the server passes it into the decryptGrant function to obtain PureGrant
  5. Using the PureGrant, the server is able to decrypt user's data and send it to the user.

Note that if you're using a custom storage, you'll need to regularly check and delete the Grants from your storage when they expire.

If you need to invalidate the Grant imidiately, you can use the invalidateEncryptedUserGrant function.

Next step

Start encrypting user's data with PureKit: