Building an E2E Encrypted Chat Application with LanceDB and Libsodium
19 hours ago
- #End-to-End Encryption
- #Libsodium
- #LanceDB
- Seal is an end-to-end encrypted chat application using LanceDB for storage and libsodium for cryptography.
- The server stores and relays encrypted messages without accessing plaintext or private keys.
- Each user generates an X25519 key pair; public keys are stored server-side, private keys remain in the browser.
- Ephemeral key pairs for each message ensure forward secrecy, preventing retroactive decryption if long-term keys are compromised.
- Self-encryption allows senders to decrypt their own sent messages by encrypting a copy with their public key.
- Hybrid encryption for channel images uses a symmetric key for the image and encrypts that key per member for efficiency.
- LanceDB serves as the sole data store for messages, metadata, and attachments, eliminating the need for separate infrastructure.
- Schema migrations are handled at startup using PyArrow, allowing addition of columns without downtime.
- Password-protected key export uses Argon2id for secure device transfer, with encrypted private keys stored alongside public keys.
- WebSocket connections manage real-time message relay, with rate limiting and input validation to enhance security.
- Testing includes interoperability between Python's PyNaCl and JavaScript's libsodium for consistent encryption and decryption.
- Production considerations include TLS for security, containerization for deployment, and potential extensions like video conferencing.