Zero Knowledge/Access Encryption using Cloudflare Workers

I’m looking to implement zero knowledge/access encryption using Cloudflare Workers. Upon researching some ways to do this, I came across https://www.youtube.com/watch?v=JrepGP9iOig. It talks about creating a CA store using the node-forge NPM package. Interesting enough, it doesn’t look like that package has been updated in over 2 years which definitely concerns me.

Therefore, I started looking into the Web Crypto API found at https://developers.cloudflare.com/workers/runtime-apis/web-crypto, recommended for performance reasons over pure JavaScript. However, it doesn’t appear that library has any native functionality for creating a certificate store. It looks like I could implement this functionality using pure JavaScript but the article on Web Crypto indicates doing so comes with a performance penalty.

Has anyone successfully implemented zero knowledge/access encryption yet using Cloudflare Workers? Any thoughts and help on this would be greatly appreciated. Thank you.

Been doing some research and it looks like from a performance standpoint, it is crucial to ensure the use of Cloudflare’s Web Crypto API implementation via crypto.subtle. Currently, Node Forge doesn’t use the regular Web Crypto API (see https://github.com/digitalbazaar/forge/issues/145) but another library does which may suite my needs: PKI.js (see https://github.com/PeculiarVentures/PKI.js). If I fork the library or enhance it via a pull request, I could enable the use of crypto.subtle where possible to ensure the performance benefits are achieved. In cases where an implementation is missing, I can then just use the NodeJS implementation and set the nodejs_compat compatibility flag (see https://developers.cloudflare.com/workers/runtime-apis/nodejs/).

I’ll keep digging into this and update this thread with my findings.

Looks like I may be able to implement some of the functionality I’m looking for without an additional library by just using the Web Crypto API Certificate class (example: https://nodejs.org/api/crypto.html#class-certificate). I’m not sure if this will have all the options I need. Will continue to post updates as I learn more.

This post from Stack Exchange is an insightful read: https://security.stackexchange.com/questions/157422/store-encrypted-user-data-in-database. It may be possible to simplify things without needing multiple libraries/frameworks. Also, reading how Proton Mail encryption works offers additional clues, especially what’s found at https://proton.me/support/set-account-recovery-methods.