I was thinking about creating a Web app that would let people enter text (using SSL connection) and it would be encrypted before saving to the DB. The goal would be to have it so that only users could decrypt it.
You could have the users enter the key along with their data, and enter it again when they want to see the data, and not store the key. That would be kind of painful for the user, though.
However, if you stored the key on the server you’d have access to it and could potentially decrypt their data.
I don’t think it’s possible to do it without either having the user enter the key every time or storing the key, but is there some way that I’m not thinking of? Like maybe generating a key from information only the user knows? Something involving cookies?
From an information security perspective, this only makes sense if the encryption/decryption is done on the user’s computer, and not your server (since there’s no guarantee that you’re not storing the key and/or the plaintext). JavaScript is out of the question, so you need a client application*.
Also, public-key cryptography is computationally expensive. You might want to keep that in mind if you have a lot of users and decide to do encryption/decryption on the server.
* or a Java applet, but that’s so 90’s. Silverlight or Flash could potentially work, too.