Encrypted forms
We are excited to add support for encrypted forms to Formhub. Encrypted forms work by encrypting the data on the phone the moment it is saved. Data sent to formhub is encrypted and completely inaccessible to anyone not possessing the private key. In this case, Formhub serves simply as a storage locker for your encrypted files - a place to upload and then download for later for local decryption (using ODK Briefcase). Since the form submissions are encrypted, it means, however, anything that requires access to the data like the map view or data export won’t work within Formhub. The extra level of security makes using Formhub in a way to collect sensitive data while meeting IRB protocols possible. This has been a major request from our University colleagues so we are particularly excited to announce support for this important feature.
How it Works?
ODK Collect supports the ability to encrypt the content of a form the moment it is marked as completed and ready for submission on the phone. To take advantage of this requires the use of a public encryption key which you include in the XLSForm and a private key (which you never share) that is used by ODK Briefcase to decrypt the data locally after you’ve downloaded it from Formhub. The public key is used to encrypt data while the private key decrypts it. Only a person who has the private key, can decrypt the data encrypted with the public key. To understand more about public and private key infrastructure see http://en.wikipedia.org/wiki/Public-key_cryptography/ .
How to encrypt XLS forms
- In your XLSform, add a worksheet called ‘settings’
- In this worksheet create three columns namely: ‘ id_string’, ‘submission_url’ (is your submission url), and ‘public_key’ (is the base64RsaPublicKey). See below for more information on generating the required public key. Do not set a password when generating the key. The public key is the key that is on the ‘public_key’ column on the ‘settings’ worksheet of your xlsform. The syntax for the form is as shown by the image below:
- Upload the xlsform to formhub as usual. You should see a label with the text “encrypted” next to your form name on formhub as shown below:
How to decrypt forms?
ODK Briefcase (see earlier post) is used to download the encrypted files from Formhub and decrypt them locally on your computer using a private key ensuring single access to the data. For decryption to be successful with ODK Briefcase make sure you install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 from this site
- Open ODK Briefcase.
- PULL the encrypted form to your PC. See how to PULL forms from formhub in our previous post Formhub now supports ODK briefcase
The encrypted form is decrypted only during export. Go to the ‘Export Tab’ and specify the PEM private key to decrypt the form.
- Click ‘Export’
- Data is exported as a CSV file, you can now be able to view the unencrypted data.
Generating RSA Encryption Keys
To generate the Rsa public-private key pairs you can use the OpenSSL software package, which is pre-installed on OSX and Linux. On Windows you have to download and install the OpenSSL software package from this site.
How to generate rsa key for use with encrypted forms on formhub
- Open a Windows ‘cmd’ window.
- Type the following command: cd C:\OpenSSL-Win32\bin to change to the /bin directory in the OpenSSL directory.
- Create a 2048-bit private key and write it to the MyPrivateKey.pem file by typing the following command, then press Enter: openssl genpkey -out MyPrivateKey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
- Then, extract the public key for the above private key. Type the following command then press Enter: openssl rsa -in MyPrivateKey.pem -inform PEM -out MyPublicKey.pem -outform PEM -pubout
- You have now generated two files that is:
- MyPrivateKey.pem - your private key that you need to move to a secure location.
- MyPublicKey.pem - your public key, that you can share with anyone you want to share information securely
- Open the MyPublicKey.pem with notepad, your public key is the uninterrupted very long string of characters, this is what you will paste under the public_key field in your settings sheet on your xlsform.
- MyPrivateKey.pem is the file you will use when exporting the submissions using ODK Briefcase.