How to protect data pushed to an API from a client?

[francoism90]

For a project it's a requirement to implement data encryption on top of TLS. So the data send by the client needs to be signed + encrypted, and be able to be decrypted by the server. The client should be able to retrieve the stored data at any request.

Unfortunately I'm still confused how this should be done. Luckily I found a good blog post, which I'll be using as reference to implement halite: https://davegebler.com/post/php/php-encryption-the-right-way-with-libsodium

In this case, I think I need to implement Asymmetric encryption - using keys, since I can validate the client + decrypt the data on the server?

But how can I receive the public key of the client? This should mean the client must be:

A. Be connected to the internet, e.g. https://example.com/get-my-public-key
B. The public key should be send to the server on first request (I cannot find any reference how to do this safely over REST)
C. Implement AES + RSA: https://medium.com/@algoryne_44970/how-to-secure-your-rest-api-with-rsa-and-aes-encryption-13f269a6952e

Storing the public-key, would allow to verify/decrypt the data at any moment. Which is nice, but you also have to frequently sync them. And I also don't like the usage of a single public key, since one key can open everything.

Hopefully you can answer some of my questions, or point me in the good direction.

Many thanks!