Encryption

The Kinvey iOS library uses Realm to persist data in local storage. We rely on Realm's encryption support to encrypt database files on disk.

Setup

You can instruct the Kinvey library to encrypt your local data when you initialize the Kinvey Client. There are two options available on Client.initialize() to specify how your data should be encrypted.

By providing your own encryption key

You can generate and provide your own key to the library that will be used for encryption with the encryptionKey parameter.

Kinvey.sharedClient.initialize(
    appKey: "<#Your app key#>",
    appSecret: "<#Your app secret#>",
    encryptionKey: "<#Your encryption key#>".data(using: .utf8)
) {
    switch $0 {
    case .success(let user):
        if let user = user {
            print("User: \(user)")
        }
    case .failure(let error):
        print("Error: \(error)")
    }
}

With this option, the app can decide how to generate and store the key. We recommend referring to Apple's guides for key management for best practices on generating and storing keys.

By letting the library autogenerate a key

You can let the Kinvey library generate and maintain your encryption key with the encrypted parameter.

Kinvey.sharedClient.initialize(
    appKey: "<#Your app key#>",
    appSecret: "<#Your app secret#>",
    encrypted: true
) {
    switch $0 {
    case .success(let user):
        if let user = user {
            print("User: \(user)")
        }
    case .failure(let error):
        print("Error: \(error)")
    }
}

With this option, the library uses a randomly generated key (we build it using SecRandomCopyBytes) to encrypt your data, and stores it securely in the Keychain.

  • The encryption options you specify are used to control the encryption of data in local storage. User credentials are always stored securely in the device keychain.

  • Encryption of file stores is not currently supported.