Discussion on Gravity Forms Encrypted Fields

Discussion on Gravity Forms Encrypted Fields

Cart 2,608 sales

PluginOwl supports this item


This author's response time can be up to 5 business days.

565 comments found.

I’m trying to decrypt field on the front end (on a limited-access page).

I unlocked all gfef merge tags with this: ALL:ALL+, ALL:ALL, ALL:ANY, ALL:ALL+:U, ALL:ALL:U, ALL:ANY:U, ALL:ANY:X

I insert the following merge tag: {gfef_decrypt_5}

I still get the following error: Field Encrypted and Restricted

What else could still be keeping the content restricted?

Hello Check your “admin area only viewing” option. What method/plugin/etc are you using to insert a merge tag and display the data in the front end?

The “Admin Area Only Viewing” is not turned on. We are using Gravity View to display the data from the form.

For testing purposes can you try both checking this option and test.. then uncheck and test. Also please verify this data is visible normally in the normal gravity forms entries interface via a user with view permissions.

Is there a feature to log access to encrypted data? e.g. with someone uses the async password?

Hello, not currently but this would be easy to add. Although there are lots of user action logging plugins already to track what users do as far as page visits.

I’ll chat with devs to see about what this might look like for specific asynch pass usage and what application it might have. For example, what would be your use case?

Hello, I’m just checking whether you support encryption of uploaded file or if this is something in the pipeline?


Not currently. The Dropbox extension or piping to google drive allows for implicit encryption of files on submission. No current plans for releasing explicit encryption.

Okay, great. Thank you.


vfmg Purchased

Hi, I have made a gravity forms with encrypted fields.

There are 2 questions: 1. How can I now search for entries, when all fields are encrypted. The gf-wordpress search is not working for that? 2. How can I address a first name or last name to be decrypted in a notification or other context? The other fields are working I guess.


vfmg Purchased


Thanks for your fast reply: 1. the search seems now to work.

But with the merge tag I have some problems. Because my native language is german and I can’t understand what you are meaning in your help (I use a translator for that), maybe I need some more hints: For the first name I used the merge tag as follows (field ID for the name is 3):


It doesn’t show the decrypted text.

But when I use: {gfef_decrypt_3} it shows me first and last name correct.

Then I’m struggling with the {gfef_decrypt_ALL+} as well. I made a preview submission page in html with this tag. But it shows me just the section titles of the form.

I have set in Decryptet Merge Tags: ALL:ALL+, ALL:ALL, ALL:ANY, ALL:ALL+:U, ALL:ALL:U, ALL:ANY:U, ALL:ANY:X

When I use it in the notification, this tag is working {gfef_decrypt_ALL+}.

So I guess, it maybe some problem with preview? You can test with this token:


Yes it would seem the preview submission page does not utilize or work with our plug-in well. Is this from a plug in?

For the specific first name, your decrypted tag is correct, but you have to unlock the specific sub field in the merge tag unlocks for multi part fields. – in the instructions for merge tags review the multi part field portion. Click to expand the merge tag settings instructions and there is a section for the multi part fields with a guide. -In short you need to add an unlock after another comma like the following

,FORM ID:3.3

Replace “FORM ID” with the ID # of your form. This will unlock your decrypted merge tag you already have in place which shouldn’t need to change.


vfmg Purchased

Yes, i use the preview submission addon from gravity perks:

Thanks for the help with the multiparts field. It works now.

Hello, I am interested in your plugin, but wanted to know how I will be able to decrypt the data in another application that shares the Wordpress database? I have a hook that saves the field to another db. Does it use a key to decrypt the stored encrypted data? Thank you.

Amazing, your quick responses and explanations are incredible. Thank you again and we are glad and more confident than ever in our purchase and your support! Keep up the good work.

As a note, if you are going to send your data to another db for encryption and storage on submission and just auto delete it on the WP site , you wouldn’t really need to even set up the plugin’s encryption. It has a mode for this. You can turn on the encryption bypass option and just set up whatever auto delete functionality you want so your sensitive data gets deleted on the WP site and you can just use it as you want in your app.

I didn’t want to do that just as a failsafe in case the transfer doesn’t happen or there is an error. We would want to delete it automatically after 7 days. But thanks for that suggestion for possible future implementation.

Hello, How to deactivate licenses from sites which are no longer accessible?

If the site url no longer exists you can deactivate it when you go to activate on a new site. If the site is still an accessible address url the plug-in should be deactivated from within the site. Or you can send us an email ( click our username and send via contact form) and we can deactivate if the above have been tried and additional assistance is needed to deactivate

Thank you for fast reply, I had to install the plugin again to be able to deactive licenses from old sites.

An other question. We are encrypting all fields in the form. After decrying single fields stay cryptic. How can I decrypt them ?

Hello So you are using asynchronous mode?

What type of field is it, and Is there anything listed in the fields view permissions in its encryption settings?

Yes – asyc mode. it is always a standard text field. No there is nothing special in the view permissions set.

Is this the only field out of other encrypted fields this is happening to? What other plugins are affecting the field?

Hi, how can I export the encrypted data table and decrypt it on an other server ?


You could do this with a direct Database export. Then set your new server keys to match the old server keys.

But Normally I would suggest you would just export your entries already decrypted from your original server ( just log in as a user with access and your GF entry exports are decrypted just like you can view them decrypted. Then import into the new server and manually encrypt them there with the new AUTO KEY and whatever password you’d like. moving data over and using a manual key override to match the old server is never suggested. Manual keys eventually run into problems regenerating on updates and users forget to check it each time to re-input after update if needed. Export decrypted then import and re-encrypt with the auto key on the new site is the way to go.

.. as a side note the data table in the DB is not encrypted. The individual data stored is

nuoem Purchased

Hi I am trying to set up the forms for specific users to access the encrypted data but not the admins (including myself as the admin) But admin can always edit the forms, so it can simply change the user/role view settings I don’t find a way where user can see their own created GF yet. (Means if the GF created by other user, admin cannot see the form.) Do you have any workaround to ensure all admins have no access to the encrypted data or change the settings after the form is set up?

I don’t use Global settings because i want the encryption to be per form.

If you do look into a role editing plugin,(user role editor or similar) I believe you can just make sure users do not have the “edit users” capability and they should not be able to access our plug-in settings page by default. Any users who can edit users can of course just change thier own capabilities or create another user with access so it is likely the highest granular permission you can single out by NOT giving it to users who should not have access to certain things such as our plug-in settings page.

nuoem Purchased

Yes I understand, I am using User Role Editor plugin too. I am trying to block even ME myself from accessing the encrypted fields.

It seems the best solution would be using the global block and access lists and blocking yourself and anyone else as needed ( the block lists .. including the individual field lists in the form editor, can block or give access to ANY users including admins as admins do not have any special access to encrypted fields over other back end users) then having someone else (whoever will ultimately control access) set the settings screen lockout password. But someone has to have it as changed will inevitably eventually need to be made to the access lists and possibly other settings.

If we are able to eventually implement the access list per form option it would help make your specific use case much more viable from there As it would give the global access list optional form based granularity per user. But you’d still lose the individual field level access control. …normally this could be done at the field level in the form editor to control access per form and specific fields, but your back end users have even given form editing capabilities so pulling back to the lockable settings page does not afford you the normal per field/form Granular control.

Normally you could just make this so only the super admin would be able to edit the forms and the other users could view /export /edit entries/ etc but not edit the actual forms, so they can’t edit their own access, but if each of these other users actually need to be able to edit the forms themselves then your limited to using the global lists in the settings page and locking everyone out with the password.


TorinIA Purchased


I’ve been struggling with the use of the decrypted merge tags in combination with the use of Async mode. I’ve added the FORM:FIELD values to the ‘decrypted merge tags’ setting, and as To: address in the notification {gfef_decrypt_FIELD} (i.e. 3:4 in the former, {gfef_decrypt_4} in the latter). This would not work, however. I’ve also tried the 3:ALL and ALL:ALL options). The email address stayed encrypted.

Which, when I think about it, might be logical but I haven’t seen this mentioned anywhere in the instructions or instruction videos.

I either have to disable Async mode (which I’d rather not do) or check the ‘Encrypt after submission is processed’ option on the E-mail field (and select Email as the ‘Send to’ field in the notification) to get the notification to be sent out to the non-encrypted value. Is this indeed correct? Or should the decrypted merge tags work with Async mode and is there something else that I need to change in my settings?

I’m using version 6.1.3 of the plugin and WordPress 6.0.2.


Use of decrypted tags with asynch mode is extensively covered in the instructions for OpenSSL Async / Strict Access Mode: under the encryption type option on the settings page.

In short, When using asynch mode there is NO auto decryption by the system. Nothing can be decrypted without a logged in asynch user performing the actions. This is the intent of the mode for strict access that the system cannot actually possibly decrypt anything without express logged in authorized permission. However, You can still send out unencrypted data on the initial submission for anonymous users by using a method detailed in the instructions section noted above. Using the “process feeds and add on before encrypting “ along with normal GF merge tags and the merge tag filter bypass. . This method is only instructed to be used in conjunction with asynch for initial anonymous submissions, and should NOT be used for any other encryption modes.


TorinIA Purchased

Thanks for the quick response! I’ve read a lot of the instructions and watched the videos, but I must have missed this one. I’ll dive into it.

Hi I have purchased the Gravity Forms Encrypted Fields WP Plugin. I need to install it on a development/staging copy of my website (with ‘dev’ subdomain, which is on the same domain as my production site (with ‘www’). Can this constitute as “one” installation?

Thanks, Kelvin


Yes. You can install it on both the dev sub domain and the production site

I have a use case where I need to request personal information from people that should likely be encrypted. This also includes an uploaded file. Following that I need the submitted form to be sent via the Galaxy Forms webhooks. My question is, am I still able to use this product and will the data be encrypted before or after it’s passed over the webhook. If so, how can I decrypted it?


Are you referring to gravity forms web hooks?

You can select to encrypt the submitted data in the database before or after the webhooks are processed. If encrypting before, you can use the plugins decrypted merge tags to pass decrypted data if the webhook allows for use of gravity forms merge tags. If encrypting after, you just use The webhooks normally. The web hooks (and GF webAPI) should all be being using https so the communication via them is also implicitly encrypted without any need for the user to do anything additional. To that end, it would just be on the user to be sure you are using secure webhook plugins.


We’re trying to encrypt some additional fields within our gravity forms but notice now that the Encryption field options under the Advance tab no longer has their selection options.

The titles are still there but there’s no input field or a way to select a certain option. Seems like the encryption fields view are not compatible with the new Gravity forms layout view/style.

I have a screenshot I can show but not sure how to post it here. Any suggestion or solution? Thanks.


Our plug-in is fully compatible with the latest WP and Gravity Forms versions. It sounds like you are running a pretty old and outdated version of our plugin. Please be sure to update when available. You can select to receive email notifications for updates through your envato account for the product under your downloads section, and/or you can use the envato market plugin to help auto update your envato plugins and receive update notification.

The latest plug-in version is Version 6.1.3

Thanks so much we will do that. Sorry about that, no indication of an update was presented within our WordPress Dashboard view nor the plugins area. We will re-download, update, and turn on auto update notifications for now on. Thanks!


With Asynch Encryption enabled, when authorized users log in to view the form entries they get a 500 error message. This only occurs with asynch enabled. authorized users can view form submissions with just open ssl encryption.


Yes. A plug-in conflict may only be occurring when using asynch. This would be the next step to take. Also making sure your server supports php sessions. Otherwise asynch is not supported

Thanks. I confirmed that PHP sessions is supported by our host server, however the documentation suggests that this introduces several security vulnerabilities. here is the documentation from WP Engine:

”....Finally, there are multiple security vulnerabilities centering around PHP Sessions. Vulnerabilities include session data being exposed, session fixation, and session hijacking.

Session Alternatives WordPress itself specifically doesn’t use PHP sessions. The correct method to store session data is to use the database. “


Plug-in already addresses these potential issues in using php sessions. This is not having to do with your error 500.

If your server setup is correct you must look to examine potential plug-in conflict. Disable all other plug-in and use asynch. Then if working, enable other plug-in one at a time and test asynch


jdcohan Purchased

I want to PREVENT WordPress Admins from viewing certain protected (hidden) GF form field entries from the Entries UI while ALLOWING the user who submitted the form to view such entry data. I’m trying to go the easy route: i.e., not using encryption.

Here are the steps I took:

1. I enabled Encryption Bypass in settings.

2. I created a simple form in which one field (“Test”) was configured to have “User Owned Field” enabled.

3. I submitted the form from one of my admin logins.

4. I then logged into the site with a different admin login in an incognito browser window.

5. Using this different admin login (NOT the one that submitted the form in step 3), I was able to view the field that should have been hidden. Not what I was hoping for.

I also modified the above steps in a few ways:

A. I unchecked “User Owned Field”, checked “Original Submitting suer View Permission”, and selected “Hide Field Value” in the ‘Encryption’ section. RESULT: No difference.

B. I then added “lockdown” in the global ‘User Lockout List’. RESULT: Then NO ONE (including the Admin user who entered the form data) could view any hidden entry data.

Is what I’m trying to do (hide entries from WP admins who were not the users who submitted the data) possible? If so, how? What am I missing? If not, I suppose that means I need to use encryption — yes?

Double check the steps. We made a correction to the response for step 2. You should not be using the lockout list.


jdcohan Purchased

Exellent! That worked. Thank you.

Am I understanding correctly that I cannot enter the non-existent username in the global User Lockout List — rather than entering it into the field-specific User/Role View Permission box? (If I could, that woulld certainly make things easier…)

You are Correct. The restrictions have to stay per field.


jdcohan Purchased

My site is using Lets Encrypt for SSL Does this satisfy the OpenSSL Encryption Enabled requirement?


It should, but is not recommended for production sites over a standard issue certificate. The system check used in the setup instructions will verify this


jdcohan Purchased

Thank you. Do you have a recommended standard issue certificate provider?


Your web host should have certain ones they work with, Auto install, etc

I wanted to document an issue with the most current version of WP and Elementor.

Here is what I am seeing:

“Site Health is reporting a critical issue:

An active PHP session was detected

A PHP session was created by a session_start() function call. This interferes with REST API and loopback requests. The session should be closed by session_write_close() before making any HTTP requests.”

I enabled and disabled the plugins one at a time to determine which was causing the error. The error disappeared when I disabled yours.


The latest plug-in version is : Version 6.1.3

You are likely running an old version with has this already resolved issue. Please update if this is the case

i added this onto my website and now viewing gravityview entries is painfully slow. any way to speed things up? I have a decent server on siteground. Thanks


Be sure to go through the instructions in full.

Hide field value does not give any specific permissions to any users. It simply hides the field data values to users without view permissions without actually encrypting the data in the database. You have to give the original submitting user view permissions, either by “ Original Submitting User View Permission” or “user owned field”

The osuvp option gives the original submitting user view permissions IN ADDITION to any other assigned view permissions. While “user owned fields” can ONLY be viewed by the original submitting user regardless of any other view permissions settings.

This is all covered in depth in the setup instructions under the “understanding the View permissions flow “ section.

If the view you are looking at otherwise is generated by merge tags , you need to use our custom merge tags. The decrypted merge tags decrypt ALL the time with no regard for view permissions, while the user decrypted merge tags check the view permissions of the user to determine access to the merge tag generated content.

Yes I clicked user owned but it didnt work, is this because it only works on new entries i make not older ones that was made before i added that the field is hidden. I think its because the field is generated by a merge tag I wasnt aware i needed to use your merge tags for the hidden field selection. Many thanks :D regardless unless gravityview has a solution for there advanced filter extension i cant use your app, ill let you know if they have a solution, thanks!!



Encryption, hide field value, and user owned field only apply to new entries after the setting. these all change the way the data is encrypted or not on submission, and changing the Settings does not retroactively change the data in the database for any previous entries. You can manually change any encryption for previously existing entries. This is covered in the setup and usage instructions.

There is also some coverage on using our merge tags with gravity view specifically as well. If you create a custom view, you can display merge tag content using our custom merge tags. You can just run your own filters in any custom view. But this requires some dev side coding using gravity views available filters etc.

Can we have emails come through but keep the info encrypted on the back end?

I could not tell how to do this from your documentation in the plugin. It’s not clear to me


There is no single setting. You use the plugins custom decrypted merge tags. Please refer to the complete setup instructions for the plugin. At the top if the settings page They cover the set-up and use of the decrypted merge tags in detail with a video guide available as well.

Can you send me some screenshots where this is effected. Or a video with the steps to turn it on and off. Your instructions are not easy to follow. PLEASE HELP

If you scroll to section 12 of the instructions there is a step by step guide on using the merge tags. Just unlock them in the settings page setting ( read the instructions There and you can unlock all with a single click there and saving the settings page if you like)

Otherwise at the top of the settings page immediately under the Setup instructions button, There is a button for video tutorials and resources. There is a full video on using the merge tags There. However, for single users, just unlocking all of them from the merge tag setting on the settings page first and then simply selecting them from gravity forms drop down menus where available is quick and easy.

As far as how each type of available tags works after they are unlocked and selectable, either go through the setup section 12 in full or refer to the video tutorial

Hi, pre-sale question. You have up to WP 5.9.x listed in ‘Software Version’. Is it in-fact up to date and working with WP 6.x and Gravity forms 2.6.x?


Yes. It works with all latest WP and Gravity Forms


Tell us what you think!

We'd like to ask you a few questions to help improve CodeCanyon.

Sure, take me to the survey