Asymmetric Encryption Key Pair Provisioned at User Onboarding

During the onboarding flow, after successful BankID or Vipps authentication, the Key Management Service generates an asymmetric key pair using device-native APIs. The private key is persisted exclusively in Flutter Secure Storage (OS secure enclave) and never transmitted anywhere. The public key is registered in Supabase against the user's account, making it available for coordinators to encrypt inbound assignments. The user sees no friction — the key generation happens transparently in a background Isolate. If a user reinstalls the app or switches devices, a key re-provisioning flow is triggered.

CRITICAL story-encrypted-task-assignment-global-admin-005 8 pts

Story Points

Critical

Priority

Encrypted Task Assignment to Peer Mentors

Feature

User Story

As a user

I want the system to automatically generate an asymmetric encryption key pair for my account during initial onboarding, store my private key securely in the device secure enclave, and register my public key in Supabase — without requiring any manual action from me

So that So that I am ready to send and receive encrypted assignments from the moment I complete onboarding, and my private key never leaves my device, ensuring the server cannot access plaintext sensitive data

Acceptance Criteria

Given a new user completes BankID or Vipps authentication during onboarding, when the onboarding flow completes, then an asymmetric key pair has been generated and the public key is registered in Supabase without any user action required
Given the private key is generated, when it is stored, then it is persisted exclusively in Flutter Secure Storage and is never included in any network request or backup
Given the public key registration completes, when a coordinator attempts to send an encrypted assignment to this user, then the public key is retrievable by the Task Encryption Service for payload encryption
Given the user reinstalls the app or uses a new device, when they re-authenticate, then a new key pair is generated and the public key in Supabase is updated, with previous assignments remaining unreadable on the old device
Given key generation is running, when it executes in a Flutter Isolate, then the onboarding UI remains fully responsive with no visible lag

Business Value

The entire encrypted assignment system depends on each user having a valid key pair. Without this story, no encrypted assignment can be sent or received. Generating keys transparently at onboarding eliminates user friction while enforcing the security model where private keys never leave the device — a core architectural guarantee required for GDPR-compliant handling of medical and personal data.

Components

Key Management Service service
Encryption Infrastructure infrastructure

Encrypted Task Assignment to Peer Mentors

Related Feature

Global Administrator

User Role