[stingraycharles]

You could encrypt it with the user’s password instead (rather than hashing it). This is also the approach taken by e.g. password managers, they use your password as a seed for encrypting all your data.

The problem is that this would make the database entirely inaccessible unless you have access to the password. That creates quite a lot of friction in the user experience, the user would have to provide his password on every interaction (ie not just when logging in).

[Ajedi32]

Users wouldn't need to provide their password on every interaction; just when logging in. The browser could save a derived decryption key in a cookie or local storage and use that to persist the session.

We're basically just discussing end-to-end encryption.

The real reason it's not done more often is that it makes things a lot of things way more complicated from a development perspective. Features like "allow users to send messages to each other" that would normally be really simple to implement suddenly require a whole public key infrastructure and logic to take into account edge cases like "What if the user got a new phone or changed their password and was offline when the message was sent?", or onerous threat models like "What if the server is controlled by an attacker when I sign-in?"

[kelseyfrog]

Not exactly following. Couldn't DMs simply not be E2E encrypted while maintaining encryption for personal info?

[Ajedi32]

End to end encrypted with what key? What if the user changed their password? What if they got a new phone? What if the server is only pretending the user got a new phone to trick you into leaking your messages?

All of those problems are solvable, but "simply" is hardly the word I'd use to describe designing a secure end-to-end encrypted application. It's way, way more development effort than just "hash user passwords with bcrypt and don't allow access without the password", which is why it's rarely done unless E2E encryption is a major selling point of the application.

[kelseyfrog]

Sorry, still not following. I wrote not E2E encrypted. I'm struggling to understand why messages that are not E2E encrypted would require key management.

[Ajedi32]

Sorry, misread.

Yes, you could symmetrically encrypt the tiny portion of personal data that needs to be read solely by you without much added complexity.

However, with few exceptions (password managers, backups, personal notes, etc), the whole point of uploading data to an online service is to allow it to be shared with other people or services. Once that happens, you need all those complicated key management and security systems I just talked about. It's effectively end-to-end encryption.