Web Crypto API: Generate Non-Extractable Private Key 🔑

Discover how to generate a key pair using the `Web Crypto API`, ensuring that only the private key is non-extractable while allowing the public key to be shared.
---
This video is based on the question https://stackoverflow.com/q/75404661/ asked by the user 'Danny Moerkerke' ( https://stackoverflow.com/u/1119295/ ) and on the answer https://stackoverflow.com/a/75405358/ provided by the user 'Andrew Parks' ( https://stackoverflow.com/u/5898421/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Web Crypto API: generate key pair and make only private key non-extractable

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/licensing
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/by-sa/4.0/ ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/by-sa/4.0/ ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Understanding the Web Crypto API

In the realm of web security, the need for robust cryptography is paramount. As developers, we often face questions regarding how to effectively handle keys, especially concerning their extractability. One recurring question is, "Can I use the Web Crypto API to generate a key pair where only the private key is non-extractable?"

The Challenge

When utilizing the generateKey method of the SubtleCrypto object, one might believe that it enforces the same extractable status for both keys—private and public. This misconception can lead to confusion when developers aim to safeguard their private keys while still needing to share a public key.

The Good News: It Is Possible!

Contrary to what many assume, the generateKey method does allow for the creation of a key pair where the private key is non-extractable and the public key can be exported. Let’s explore how this works.

Key Generation Example

Here’s how you can generate a key pair with the private key being non-extractable:

[[See Video to Reveal this Text or Code Snippet]]

Breakdown of the Code

Key Generation:

We're using the generateKey method which accepts an algorithm parameter (in this case, ECDSA with a P-384 curve), an extractable parameter set to false for the private key, and key usages specifying signing and verification.

Extractability:

After the key pair is generated, we check the extractability of both keys:

The privateKey.extractable is false, ensuring it can't be exported.

The publicKey.extractable is true, allowing you to export and share it.

Exporting the Public Key:

Finally, we use exportKey to convert the public key into a JSON Web Key (JWK) format, making it ready for use or sharing.

Conclusion

The Web Crypto API provides a flexible way to handle cryptographic keys, allowing developers to generate a key pair while keeping the private key non-extractable and enabling the public key to be shared securely. By leveraging the generateKey method effectively, you can achieve a secure implementation tailored to your application’s needs.

Final Thoughts

Armed with this knowledge, you can now confidently generate key pairs for secure web applications while optimizing key management practices. Dive into the implementation and explore the broader capabilities of the Web Crypto API in your projects!