After reading this: http://stackoverflow.com/questions/30089604/jwt-whats-a-good-secret-key-and-how-to-store-it-in-an-node-js-express-app, on how to store “secret key” to assign JWS tokens. I had security questions. My data (messages, username, etc…) are going to be encrypted (in database) and only authorised users can decrypt it (based on their private key). Since JWS tokens are generated using 1 “secret key” which is stored on the server, in case an attacker gets the “secret key” and get’s hold of the database - tokens can be forged and therefore data can be decrypted bypassing “password”, which makes encryption pointless. With this in mind here are my ideas
Store the “secret key” on a separate server (like HSM) which will be received during login and then used to set the token
Encrypt some kind of salt for each user and use it as the “secret key”
I’d like to hear your thoughts and ideas. How does facebook or twitter do it? Do I really need HSM to store private keys for encryption or there’s some kind of alternative (eg: safe file system) ?
Thanks 