Password Encryption

This guide shows how to encrypt (harden) user's password and authenticate users with Virgil PHE Service.

Learn more about how Password-Hardened Encryption works here.


Generate user's Pure Record

To create a Pure record for a database:

  • Take the user's password (or hash) and pass it into the EnrollAccount function.
  • Store this user's unique record in your database.

The enrollment snippet below also provides an example on how to protect user personal data with encryptionKey and encrypt user password hashes with recoveryPublicKey.

Keep in mind that this step will replace password hashes with Pure Records, so it's important to go through all steps in Prerequisites.

If you need to update your user's Pure Records, for instance, if your database is COMPROMISED, take the immediate steps according to this guide.

using Virgil.PureKit; using Virgil.PureKit.Phe; using Virgil.PureKit.Utils; var password = "passw0rd"; // create a new encrypted Pure record using user password or its hash var enrollResult = await protocol.EnrollAccountAsync(password); // note that enrollResult.Record is a byte array. // save encrypted Pure record into your users DB // you can save encrypted Pure record enrollResult.Record to database as byte array or as base64 string // encode encrypted password record base64 string var recordBase64 = Bytes.ToString(enrollResult.Record, StringEncoding.BASE64); //use encryption key enrollResult.Key for protecting user data var phe = new PheCrypto(); var encrypted = phe.Encrypt(data, enrollResult.Key);

Note! If you have a database with user passwords, you don't have to wait until they log in. You can go through your database and enroll (create) a user's Pure Record at any time.

Verify user's password

After a user has their Pure Record, you can authenticate the user by verifying their password using the VerifyPassword function:

using Virgil.PureKit; using Virgil.PureKit.Phe; // get user's encrypted Pure record from your users DB var passwordCandidate = "passw0rd"; // check candidate password with encrypted Pure record from your DB var verifyResult = await protocol.VerifyPasswordAsync(passwordCandidate, record); // (verifyResult.IsSuccess == false) if passwordCandidate is wrong. //use verifyResult.Key for decrypting user data var phe = new PheCrypto(); var decrypted = phe.Decrypt(encrypted, verifyResult.Key);

Change user's password

Use this flow when a user wants to change their password.

If you use PureKit not only for hardening passwords, but also for encrypting user's data, you'll have to re-encrypt user's data with the new key so that the user doesn't lose access to it. Navigate to this guide and follow the instructions there.

If you're using PureKit only for encrypting passwords, then you have to simply create a new Pure Record using the new password for the user, and replace the old Pure Record with the new one.

Next step

Start encrypting user's data with PureKit: