[Xylakant]

Your parent poster proposes that the key itself is protected by a password that the user needs to enter and that the unlocked key is only stored on the users device (local storage for browsers,…)

The server only serves encrypted data that gets decoded in the browser.

The primary usability problem for that approach is that there’s no way to recover the data (messages) if the user ever forgets the keys passphrase.

Another problem is that all of the rendering that uses such encrypted data needs to happen client side in JS, WASM or similar.

[harshitaneja]

Ah. I misinterpreted this thinking the user password would be used but in this case having a separate password which user would have to reenter erratically.

I am not in security but think that XSS might be a concern here with something so sensitive.

And UX problems that come with it. Sounds interesting though to at least discuss with customers to see if the benefits are worth the costs to them.