I want to build an application using Laravel and Vuejs with a chat feature. I'd like to use end-to-end encryption and do know how end-to-end works itself (at least I think I do). Now there is the problem of sharing the same key pairs across multiple devices when using a simple web app, so I'd like to save them on the server.
Now there's the risk of a data breach. So I was thinking about encrypting the private key with a 4-digit PIN which the user specifies at the first registration. This pin won't be saved anywhere, with no cookies, and no database anywhere except the ram of the window. Would this be considered safe enough to say it's e2ee without the possibility of server admins or hackers reading encrypted messages from the database but with the possibility of a simple login and message sharing between multiple devices? The biggest disadvantage from my perspective, is the fact that you can't reload the page without needing to insert the PIN again. My biggest concern is the fact that the 4pin code is easy to bruteforce so it would be safer to send it to the server so the server tries to decrypt the key. But then it would be vulnerable to man-in-the-middle attacks again. And increasing the pins length/type would decrease the comfort of the app itself I think.
I think it's necessary to clarify that the app will be secured by an OAuth2 identity provider named Keycloak. So that won't be the only authentication just the security mechanism to ensure e2ee.
I am very open to ideas of improvement or even completely different approaches but I have a limited space to operate in.
The private key remains private as long as it does not land on your server period.
4 digit pin is not strong enough to protect any secret. Automated attack on the pin will be successful in a couple of (mili)seconds.