It's complicated indeed. A simple "clear browsing data" would make him lose the data forever hehe. And if you keep the key in the server, it would be "hackable", which is what I was trying to avoid. I haven't looked at it but https://solid.mit.edu/ looked promising.