The solutions, as you say, derive the key from the clients password. Therefore, you should never store it directly. This is the method used by the last pass, password manager. The function that most people use for this is PBKDF2. Storing a key in a simple var is not really unsure that if someone can read this var, they can read the data your client is working on. Just make sure you clear the data when the client logs out
Fortunately, this library already does almost all of these things very well and is actually written honestly with the cryptographers of the gods, and not with some kind of website 2.0 who read the book of Bruce Schneier and thought that they know everything they need to know about cryptography.
source share