End-to-end encryption for web apps

Hey Everyone,

I wanted to get your thoughts on end-to-end encryption. For context, my web app is a React SPA and saves data in the cloud in Firebase (Firestore).

It seems the most common implementation in web apps is encryption in transit via https/SSL/TLS and encryption at rest. That's easy to do – in fact, it’s the default approach in Firebase’s hosting and database.

I am curious about e2ee and trying to learn more about it. In theory, it would be nice to provide an extra layer of privacy and security for users.

When I researched how to implement e2ee, most of the articles I’ve read suggest using a third-party service like Virgil Security or Tanker. (Not surprisingly, many of these articles are written by the companies themselves). But this does not seem like a good solution in terms of extra cost, complexity, and vendor lock-in (is there even a way to move your app off these services?). And most importantly, if their services go down, won’t all users be unable to decrypt their data?

I’ve also read articles that suggest using a user-generated password/key and a client-side encryption library like crypto-js or jsencrypt. This bypasses third-party services but puts the onus on the user to generate and keep the password/key. If the user forgets or losses the password/key, they are locked out permanently with no recourse.

Are there other methods/implementations of e2ee out there that I’m missing? Because both of these options seem poor to me.

If you have e2ee in your app, I would love to learn the specifics of your implementation.

Thanks!