PluginOwl

PluginOwl supports this item

Supported

This author's response time can be up to 5 business days.

100 comments found.

I notice there is no discussion about credit card info for this plugin. Do you know offhand if it would be PCI compliant to store credit card numbers as long as they are encrypted?

By default gravity forms does not store credit card info for payment forms. Nor does our plugin support the encrypting of credit card fields , but that doesn’t stop someone from storing card information through other fields. However , PCI compliance requires more than just encryption which is why we implement strong access controls and other safeguards. Still there is no “default “ for compliance and each implementation is unique in application and should be set up to follow those guidelines for your application as required by the PCI standards. The PCI regulations are really what you would want to look at to see what would be required to store card info in your use case.

Encryption and access control are just part of the solution in most PCI requirements of sch storage

The installation process is quite complicated. It would be great if you’d make a video for users with only a small experience within WordPress. Also a few graphics and cleaner dashboard information within WordPress would help to understand better how this plugin works. Also having that plug-in in German would be nice.

Thank you for that plug-in. Looking forward to seeing how you evolve your plug-in.

Thank you for the feedback. We are strongly looking into creating some video tutorials in the future.

Herdl

Herdl Purchased

Is there a way for encryption to remain applied and the fields able to be exported, unencrypted, by whitelisted users? Currently they seem to export as blank fields

Herdl

Herdl Purchased

Thanks for your previous answer – that solved the problem. I have another related question: in the form view for restricted users, all the data fields are encrypted which is great. However, there’s a link available to view file uploads which we would want to be encrypted. Is it possible to encrypt the file uploads too?

Currently at this time the plugin does not offer file encryption, but it DOES have some things that you can do to keep sensitive files off the server entirely.

If you check out the settings page there are the following options:

“Delete Only File Uploads After Submission” “Attach File Uploads to Notification Emails”

Using these options you can add uploaded files as attachments to specific e-mail notifications for a form and have them auto deleted from the server after a submission and after notifications are sent etc. This allows you to send yourself or whoever the file(s) and then not have them on the server at all.

There is also “Delete Entries After Submission” ..which gets rid of the entry altogether including files after notifications are sent etc.

We have put some thought into encrypting uploaded files but it would likely require users to view the files through the gravity forms interface or another custom interface as any external file access wouldn’t perform decryption. ..This is something we are still considering but there is no current timeline on development.

Herdl

Herdl Purchased

Thanks for the reply on this

lrswbm

lrswbm Purchased

Good afternoon,

We use the zapier add on a great deal to add extra functionality to our forms. Is your plugin compatible? Does the data get submitted to zapier before it is encrypted?

Look forward to your reply. Thanks

Hello,

We have not tested zapier functionality. The data is encrypted when it is actually being saved to the database through gravity forms on submission ..(or on manual entry update). If you check with zapier as to when or how the data is sent to thier plugin that should help determine if it would be encrypted. If it’s after the entry is created / saved to database then it would be. If before .. then should not be. ..if data is pulled through gravity forms merge tags you can just use our decrypted merge tags to output decrypted data.

Hope this helps

lrswbm

lrswbm Purchased

Thanks for the prompt reply. With previous discussions with Gravity forms I’m sure they said the add on fired before the save to database so should be ok. It might be a case of just testing.

I just got notice of a plugin update for encrypted fields. Will this auto update or do I need to update it manually? Is there a specific process for updating the plugin so that it does not affect encryption on a live site?

At this time the plug and requires manual updates after downloading the latest version of the plug-in from the site here. Full update instructions are in the plug-ins README file so be sure to read that and follow instructions

After updating to the version 3.9.2 all the data I had disappered within Gravity Forms. What should I do now?

Updating should be replacing the plugin folder contents via SFTP or SSH ..or Wordpress plugin which accomplished this

Please check the system check on the settings page to make sure all configuration is still set

Ver 3.9.2 only adds a settings page link to the plugin page vs previous versions and no other changes were made but if you’ve used an unfamiliar update process you might want to roll back to previous version and upgrade via the .reasme file instructions

Well. I just entirely deleted the plugin and the reinstalled the older version I had, and everything works fine now :). But I still do not know what the problem was. I updated the last time through the regular WordPress updater, and everything was fine.

Hmm. Without knowing what the plugin or interface your using to update is it’s hard to say what went on. But again , our plugin does not list any official automatic updates on the plugins page.

You can try just going into maintenance mode and deleting the old version and just installing new version IF your saving plugin options on uninstall. You’ll have to regenerate the website key quick by saving settings on the settings page if you do it that way. But then at least you can be sure your installing the official new version as downloaded from here.

mimmt

mimmt Purchased

Hi, will this help with GDPR compliance?

While GDPR is fairly obscure in its reference to “reasonable efforts” , the encryption or auto deletion of collected data from the server such as this plugin offers could certainly be a nice piece of the puzzle in compliance. But per GDPR there are also many other factors to consider like user IP, cookies, etc. for full compliance.

If I have a website hosted on Godaddy, will this plug-in do what I need to make intake forms HIPAA compliant? I get the sense that Godaddy itself does not do BAA and they are not compliant, so I’m wondering if by encrypting certain information on the forms that they don’t need to be. If the answer is yes for that question, should I purchase SSL from Godaddy for the website as well, or will that not be necessary?

When it comes to HIPPA we do not offer advice on achieving HIPPA compliance but we can state that encryption of data at rest is just one little part of compliance. There are a lot of other factors that would need to be in place to achieve compliance and SSL would be another small part.

Theres are some online resources that give general overviews such as this one:

https://www.aptible.com/learn/hipaa-compliance-for-developers-getting-started/#the-security-rule , but we would recommend pursuing professional legal and technical help in regards to achieving HIPPA compliance.

After applying the encryption on Gravity forms, all the data of the forms are blank? Cannot seem to get any information. Please help! thank you

Can you please detail here the steps you took to “apply encryption”? Are you talking about encrypting previous entries or turning encryption on for fields for newly submitted data?

Does your system meet the “system check” on the settings page?

Have you entered anything into the “encrypted restricted display” or “hide value restricted display” settings per the instructions so that you can see when you simply do not have access to encrypted and hidden data instead of it showing up as blank?

There is a button labeled “show/hide full setup instructions” on top of the settings page that will display quick and full setup instructions with numbered steps on how to get up and running.

I turned on the encryption for new entries only. I attached “capture 2”, this may be the issue why everything shows blank. Not sure how to fix it.System check shows green on all items. I do not know where is the encrypted restricted display”. I used admin and the user Id to decrypt content but it is still blank? I tried to follow through but I still can’t figure out where I went wrong?

If you turned encryption on for fields and suddenly cannot see the old or new data it is because you have not correctly given yourself view permissions to the data. The old data is NOT encrypted and is just hidden . And will not be encrypted unless you run manual encryption on it through the settings screen encryption tool. Any new data entered IS encrypted. You would not have access to view either if you don’t have view permissions for the field.

Currently , if you just turn encryption off for the field, the old data would be viewable again since it is not encrypted and any new data entered that was encrypted would still be hidden (or show the encrypted restricted display if you have anything In that setting)

User names and roles used to grant view permissions are case sensitive and must be. Entered exactly as they are listed in the user or role listing within Wordpress. They must be comma separated. Example:

Bob, John, administrator

If your user name is not “admin” then entering “admin” will not give you view permission unless that is the exact name of a role your user belongs to. You need to enter your exact user name in the fields “view permission” setting to give yourself access. Or If you are the only person that needs to view decrypted data, enter your username into the “User Access List” , and enter “lockdown” on the User Lockout list” on the settings page and save changes. that would give only you access to all encrypted ad hidden field data

The “encrypted restricted display” is one of the settings on the settings page where the system check is. This setting determines what you see when you do not have access to view encrypted data. The “hide value restricted display” setting right next to it determines what you see when you do not have access to view hidden data that is not actually encrypted.

Please enter something into both of these settings and save changes. This will show up instead of blank fields and tell you when you don’t have access to view either hidden or encrypted data.

This is all covered step by step in the setup instructions, but if you review and correct the above and are still having trouble, ..assuming you’re using a test site or form to work with before going live, If you would like us to review the setup you can send us a temp admin login and login link via email through our author contact form on our author page so we can correct the setup, and or review what the issue is and reply to you here

Hi there, I just received an email saying that Gravity Forms Encrypted Fields has been updated, but I can’t find any instructions on how to do this. Could you point me in the right direction or let me know how to do it? Thanks so much :)

Hello,

Each downloaded plugin zip file has a .readme file in it which details how to update the plugin in the Installation section under “Upgrade”.

In short, the directions are to backup your DB and site files and offline the site for a second, then either copy over your current plugin files via SFTP or SSH according to the upgrade instructions, or if really unable to use SFTP or SSH you can disable and remove the plugin through the WordPress plugin page and install the new one, then if needed re-create the website key or enter it again by visiting the plugin settings page, and bring the site back up.

Please check the .readme file for more specifics :)

.. as a note if you go about updating by removing and reinstalling the plugin through Wordpress you will want to be sure you have the option to save plugin settings on uninstall turned on first :)

The new version of the plugin will be available in your profiles downloads here on CodeCanyon.

I have not heard anything since my last email. How do I decrypt everything and bring it back to normal. I still see blanks, thanks

Please read and respond to your original support comment above to help keep this in one place. We have responded there yesterday.

Hello,

I am running a wordpress multi site installation. Will it work on that?

I also want to make sure not everybody can edit a form. I want everybody to see the form on the front-end. But want to assign user role to editing the form.

In my case i want certain forms locked in the backend for certain user roles. So on client sites my client can see the forms but can not edit them at the backend.

Hope to hear from you soon.

Regards, Guido

Multisite testing is not complete yet on our end, so we cannot give you definitive compatibility for it at this time but the code is not written to be network-wide at this point so if you do try it on multisite, each site would have its own individual settings instead of single settings multisite wide.

Restricting certain user capabilities like form editing or form entry viewing can be achieved with plugins such as “User Role Editor” or similar.

Any progress on the encryption of list fields? Is this likely to be included any time soon?

Thanks – there are new regulations coming in in Europe next year (GDPR) is an increased focus on data security, so any progress on this would be useful.

update:

Version 4.0 (currently in development)
  • Added list fields as fully supported field type for encryption.
  • Added the {gfef_decrypt_ALL+} merge tag which outputs decrypted display of all fields from entry form regardless if data is encrypted or hidden. The behavior of this merge tag closely replicates the standard Gravity Forms {all_fields} tag but it decrypts all data.
  • Added the {gfef_decrypt_ALL+_USER} merge tag which outputs decrypted display of all fields the current user has access to from the entry form regardless if data is encrypted or hidden. The behavior of this merge tag closely replicates the standard Gravity Forms {all_fields} tag but allows for data the user has permissions to to be viewed where the normal {all_fields} tag would show a restricted display do to the merge tag filter.
  • Improved decrypted/encrypted merge tag option instructions.

-these items listed are already functionally implemented but require some further testing and some additional updates are likely go in before version release. In any case all items listed here should be present in this next update. No release date at this time but generally our releases are within a couple weeks from completion of implementation of items going in.

Update:

Ver. 4.0 has been submitted for release. please view the changelog on the items description page for a full list of changes/updates in this version

Hello,

I am about to start building some submission forms for my client (will use gravity forms) and I need all the data to be encrypted as we are gonna be collecting sensitive data. So the process will be such: a customer submits an online form, the information goes to the database, our company’s software will ‘grab’ that submission through sFTP and autopopulate all the information in our system. My question is, if I encrypt the database, will the software be able to download the xml files and decrypt it?

Thanks!

if your software is accessing the database directly it will get whatever its designed to do, but the data will be encrypted still.

A developer should be able to look at our decryption code and build in custom decryption using your keys relatively easily as long as the language supports SSL (presuming you use SSL). Custom development is not something we support standard but we are for hire

..our plugin only decrypts for you when used through the gravity forms interface or API to retrieve data from the database.

The plugin also allows for sending out encrypted data in the notification emails if you wish to have your software parse it on reception or it can send the decrypted data via email as well.

Hi – I just purchased your plugin, and configured it correctly (all the checkmarks are green). I’m logged in as admin, and tested my form but all the entries are still viewable for that form.

So i can’t tell if the data is actually encrypted or not – how do I make sure it’s encrypted and i’m only able to see it because I’m admin?

I have the following settings turned off: - ENCRYPTION VERIFICATION MODE - User lock downl down list : lockdown

Thanks for any assistance, I’m looking forward to trying it out on my production server once I know it’s working as expected.

We have recently overhauled the instructions (at the top of the setting page when you click the “Show/Hide full Setup Instructions” button) for the plugin to make them more clear and concise for new users. I do not believe they are included in the last release version yet though, so I have copied them below although the quick links to the settings are not present in this copied version. They cover setting the plugin up and verifying data encryption.

GETTING STARTED: Follow the below numbered instructions to setup and test your sites Gravity Forms data encryption. As you set up each option or setting, read the instructions and help dialogs for before using/changing the option or setting to learn more about its functionality.

It is STRONGLY recommended that you back up your database before proceeding and that you DO NOT initially set up encryption on a live form, but make a copy of your form for testing on a private page until you understand how to use the plugin and have tested the encryption successfully.

This plugin encrypts data for storge in the database for selected fields at the time of form submission or on entry update if the field data is changed and displays both encrypted and non encrypted submitted field data properly whether or not encryption is turned on for a field at any time.

Switching encryption on or off AFTER data is submitted to a field will not encrypt or decrypt previously submitted data in the database, unless it is changed and updated after encryption is turned on or off, and could result some data being encrypted and other data left not encrypted for the same field. However when encryption is turned ON for a field, any previously unencrypted data submitted will still be blocked/hidden from users without view permissions using the “hide field value restricted display”. This indicates that while the data value is being hidden in admin, it is NOT actually encrypted.

It is strongly recommended to decide on encrypting a field at its creation and leave it on permanently from there, while “hide field value” can be turned on or off at any time.

This plugin can also optionally simply hide field data values in admin from individual users without permission. This option uses no encryption, but can be great for sites that just need a solution to hide form field data from some users.

SETUP 1. Ensure your system meets the below system check requirements.

2. First follow “Encryption Type” setup instructions below, Enter “encrypted” (or whatever youd like) into the “Encrypted Field Restricted Display” and enter “hidden” (or whatever youd like) into the “Hide Field Value Restricted Display” so you can see when values are being restricted from a users view instead of just being blank. Then enter a strong custom encrytption password and Save Changes again.

3. Once the password is saved, your encrypted fields will begin to be saved under the given website key/password combination.

4. If you are going to only hide admin field values and not use encryption at all, turn on the “Encryption Bypass” below.

5. Use the form fields “Advanced” tab encryption options to turn on the database encryption or hide field value option per individual field (or optionally use the “Global Form Encryption Switch” on this page to turn encryption or “hide field value” on for all supported fields on a specified form at once). Once a field’s encryption or hide field value is turned on and the form is updated you will see a small lock by encrypted fields and a small blocked eye by hidden fields for quick reference in the form editor.

If this is a single user setup you can skip to #9 below although it is recommended to read #6-7 to be aware of the functionality.

6. By default, ALL users that can view form entries have view permissions to an encrypted field’s data unless a field has anything entered into its “User View Permission” setting. Once any usernames/roles are entered into a field’s “User View Permission” setting, only those users/roles will have view permisions to the field’s encrypted or hidden data, and all other users not listed will be restricted unless they have an overriding view permission. The “User View Permission” is per individual field and hovering over the help icon there will detail how it works as well as point to additional global permissions for more control.

7. You can use the “Limit User/Role View Permission Lists” list below to enter comma separated user names to globally restrict what user names are valid when entered into any fields “User View Permission” list.

8. You can use the “User Lockout List” below to enter comma separated user names to globally BLOCK individual user view permissions for ALL encrypted or hidden field values, regardless of individual fields “User View Permission” settings. To quickly lock out all users enter “lockdown” in the “User Lockout List”.

9. You can use the “User Access List” below to enter comma separated user names to globally ALLOW individual user view permissions for ALL encrypted or hidden field values, regardless of individual fields “User View Permission” settings and “User Lockout List” settings. NOTE:To quickly only give a single user ALL view permissions and lock everyone else out, enter “lockdown” in the “User Lockout List” below, and enter the username of the user you are giving view ALL permissions to in the “User Access List” below.

10. You can use the “User/Role Encrypted Field Native Search Permission” setting below to give users/roles the ability to search for encrypted field values in the Gravity Forms entries view.

11. It is strongly reccommended that you use the “Merge Tag Restricted Display Filter” (This is on by default with the checkbox NOT CHECKED to bypass it) and the “{all_fields} Merge Tag Exclude/Include Options” to prevent users with view permissions from sending out a forms encrypted or hidden field data in notifications, confirmations, or other gravity forms merge tag uses as readable. This will block all encrypted and hidden field data from being sent out in notifications/confirmations with the restricetd display. If you woul like to output field data as readable in notifications and/or confirmations, use the decrypted merge tags by allowing them per form/field with the setting below. They always output the readable decrypted field data.

12. Follow below instruction for testing and encryption verification (13-14), then review the additional options available on this settings page for additional access controls, field data masking, decrypted merge tags, entry/file auto deletion, and more.

13. TESTING When 1-11 are complete, backup your database if not done already, and do some test entries in a test environment if possible. Check results with various dummy users to be sure your setup is functioning as intended before going live. Additional options available below may be used or disabled for your sites needs as well.

14. ENCRYPTION VERIFICATION Once submitted field data is saved encrypted in the database, the field data will be automatically decrypted and readable for users/roles with permissions when viewing in all admin interfaces and export options. This means that you should NOT ever expect to see encrypted stings such as “GFEncrypt: 7ef46193a17a23580e1019c054OURma215VFJuWVlyUGtCZkdnZmQ2dz09” in the admin interface (unless you either have “ENCRYPTION VERIFICATION MODE” on to verify encryption, or are using encrypted merge tags to display encrypted strings). The data should always either be returned as readable for users with view permissions, or should return the restricted display for the type of restriction occurring (encrypted/hidden). After you have encrypted some data through form submission or update or the “Encrypt/Decrypt Form Entries” tool, if you can still read it as normal, it is because you have the view permissions to do so. If you want to verify it is actually encrypted you can use one of the following methods to do so: - Use “ENCRYPTION VERIFICATION MODE” below. (shows actual encrypted strings) - Log into your database and view the direct data. (shows actual encrypted strings) - Remove your view permissions temporarily. (shows restricted display) - Log in with a user without view permissions. (shows restricted display)

EDITING ENCRYPTED FORM DATA To edit encrypted or hidden data, just edit the form entry as usual using the entry detail editor in Gravity Forms. Any users who can edit entries but cannot read hidden or encrypted data can still enter new data over it from the entry edit screen.

ENCRYPTING/DECRYPTING PREVIOUSLY SUBMITTED DATA To encrypt/decrypt previously existing database field values please use the “Encrypt/Decrypt Form Entries” tool on this page below.

UPDATING THE PLUGIN To update the plugin, follow the plugins readme file in the INSTALLATION->Upgrade section. The readme file is located inside the msin .zip file of the plugin which can be unzipped to show contents. please refer to your operating system for instructions on unzipping a .zip file.

Hi there, I’ve installed the plugin on a local development machine (i.e. localhost) and have followed the steps in the readme to set it up for the first time (i.e. the System Check checklist in the plugin’s settings only contains green checks). However, I’ve noticed that a “notice”-level error message appears when Wordpress’ debug mode is turned on (i.e. setting WP_DEBUG to true in wp_config.php). This message, along with the basic steps I took, is:

1) Create a contact form.

2) Create at least one field.

3) Click on the “Advanced” tab, then click on the “Encrypt Field Value” radio button to set it. 4) Click on “Update” to save changes. Confirm that the lock icon appears beside the form field you made.

5) Click on the “Preview” tab. Enter anything into the text box and click “Submit” to submit the form.

6) Once the form submits, a debug message is displayed: “Notice: Undefined variable: config in /app/public/wp-content/plugins/gravity-forms-encrypted-fields/gravity-forms-encrypted-fields.php on line 1219”

I looked at the GFEF plugin code, at the gfef_delete_active_form_entry_files() method. From what I understand, the local variable $config is only declared when the GFUser class exists. If the GFUser class is not found, then $config is never declared, which is why the error message appears.

I then did a global search for the GFUser class in both plugins, but I can’t find it declared in either this plugin, nor the Gravity Forms plugin.

To be clear, I’m working with the latest version of Gravity Forms, which is installed. Here are my relevant specs:

- Gravity Forms version 2.2.5.13

- Gravity Forms Encrypted Fields – the latest version (i.e. the version from 19 November 17)

- Developing on local machine – using Local by Flywheel version 2.1.2

- Local by Flywheel sandboxes a separate dev VM with the following installs:

- Wordpress version 4.8.3

- PHP version 7.1.7

- mysql version 5.6.37

I’m a bit confused as to why this issue is occurring. Please let me know how I can fix this issue.

Thanks!

Ok ,but for the record we do not recommend editing the core plugin or redefining variables that are defined elsewhere as other unknown gravity forms or Wordpress core functionality could be affected.

It is just a notice and not an actual error occurrence which will not be displayed in or effect a production /live environment at all either way, so the risk of potential damage is not really likely worth the reward to only stop the notice within the test environment that has debug on. :)

Yes, I would agree with you that editing the core plugin might affect other areas that you didn’t anticipate! For those of you reading, yes, I wouldn’t recommend making edits directly.

I’m just hoping that, eventually, there will be additions made to the code that handle these kind of edge cases elegantly, so that no messages of any type appear. :)

Cheers, and thanks for the quick responses!

We’ll take a look at it to remove the notice for those running debug mode. Offhand defining the $config as null there will probably be just fine. But possibly may just check for ”$config && ” in the if statement where $config is being called. We’ll have to look at how its being used closer. :)

But again. In an actual live environment this has no effect or resulting notice. The variable doesn’t exist unless the GFUser class does, so when its index is checked in the if statement the result is always just false which is a valid return. Thats why it can give a notice, but not a warning or an actual error in debug.

Hello, this looks like a plugin I would need. We store clients sensitive data on our website. My firs question would be: Does your plugin encrypt query date with merge tags passing from one form to an other? Form 1 (details and payment price) -> Form 2 (payment form that handles credit cards). I want to make it so that users could not modify the query. How does your plugin work with other plugins: Gravity PDF, Gravity Wiz, Gravity View? We have an expansive system and I am afraid that this could mess up some of the functionality.

Hello,

I can try to answer some of these questions for you. As far as playing nicely with Gravity PDF, Gravity Wiz, and Gravity View. Our plugin uses the core gravity forms API to encrypt and decrypt and occasionally taps into the gravity forms framework so relatively speaking any other plugins that stick to using the API to access data should all play nicely. Complete compatibility is always potentially in flux of course as they and we can change things here and there, but the plugins you mention seem to stick to core API functionality as we do at this time. At this time our plugin is being used in conjunction with gravity view quite often and we even have some special merge tags developed for using in gravity view that allow you to pull field data according to the viewing users permissions to that data for views. We use gravity pdf ourselves and have had no conflicts. Functionality is as one would expect where if you have access to data, you get it, if not, you do not. Gravity wiz has a number of small plugins and we haven’t heard of any conflicts with any of them, but consider that with ANY encryption you would have potential issues if you are encrypting data that another plugin needs to function and that other plugin either doesn’t pull data through the core API or uses anonymous access where the “user” would not have permissions to the data to have it decrypted because data protection is not just about encryption, its about protected access to decryption.. or there is little point. In either case I think you will find that most use cases work terrific. As always, first testing on a test version of your site with things that manage your important data is recommended.

As far as the ability to send encrypted query strings, the short answer is yes, you can do that. But, it would not stop the user from just changing a query string because its an encrypted string. Another point to note is that there is no functionality to take encrypted query strings and decrypt them for pre-filling any form data so unless you are passing this to third party or system with your own decryption based off ours it would not be of use. That being said I am personally wondering why the 2 separate forms? ..when its possible to just have another page or have the card processed on the same page of the same form? Specifically for payment you would likely want the ability for the user to change details and have that update the resulting pricing as well. but separating the two unfortunately opens up more possibilities for augmenting the payment amount than just the query strings.

UPDATE:

Pending your use case you can actually pass encrypted data very easily to another form and it will be decrypted for users with view permissions AFTER the secondary form is submitted. This could be helpful to pass along information securely to a secondary Gravity Form on your site where the user does not need to see the entered information again on the secondary form but it needs to be submitted with the secondary form again for tracking purposes. ..such as passing forward a name and contact information to be able to attach to the secondary form as well.

Here is a F.A.Q we have written which details how to set this up: https://codecanyon.net/item/gravity-forms-encrypted-fields/18564931/faqs/31034
luyendao

luyendao Purchased

Having trouble setting this up – i believe I have followed all the steps after installation, but when viewing entries they still appear unencrypted. Not sure how to test this…

Any chance you can email me, and I can share a dev site login?

If you’ve set up the plugin properly (all system check is green and fields have encryption turned on) this is normal operation of the plugin.

Assuming you are running the latest version of the plugin (ver 4.0) ..testing/verifying encryption is also covered in the setup instructions.

I’ve pasted some of the pertinent information from the setup instructions below which should explain, but I would re-read the full instructions before and beyond the initial setup steps as they cover what to expect for initial functionality in detail.

“15. ENCRYPTION VERIFICATION
Once submitted field data is saved encrypted in the database, the field data will be automatically decrypted and readable for users/roles with permissions when viewing in all admin interfaces and export options. This means that you should NOT ever expect to see encrypted stings such as “GFEncrypt: 7ef46193a17a23580e1019c054OURma215VFJuWVlyUGtCZkdnZmQ2dz09” in the admin interface (unless you either have “ENCRYPTION VERIFICATION MODE” on to verify encryption, or are using encrypted merge tags to display encrypted strings). The data should always either be returned as readable for users with view permissions, or should return the restricted display for the type of restriction occurring (encrypted/hidden). After you have encrypted some data through form submission or update or the “Encrypt/Decrypt Form Entries” tool, if you can still read it as normal, it is because you have the view permissions to do so. If you want to verify it is actually encrypted you can use one of the following methods to do so:
- Use “ENCRYPTION VERIFICATION MODE” below. (shows actual encrypted strings)
- Log into your database and view the direct data. (shows actual encrypted strings)
- Remove your view permissions temporarily. (shows restricted display)
- Log in with a user without view permissions. (shows restricted display)”

“Switching encryption on or off AFTER data is submitted to a field will NOT encrypt or decrypt previously submitted data in the database, unless it is changed and updated after encryption is turned on or off, and could result some data being encrypted and other data left not encrypted for the same field. However when encryption is turned ON for a field, any previously unencrypted data submitted will still be blocked/hidden from users without view permissions using the “hide field value restricted display”. This indicates that while the data value is being hidden in admin, it is NOT actually encrypted.”

“To encrypt/decrypt previously existing database field values please use the “Encrypt/Decrypt Form Entries” tool on this page below.”

sophiart

sophiart Purchased

Hello,

I purchased gravity forms encryption plugin not long ago and I have some questions about the encryption:

We need to understand where the website key and encryption key are stored ( if they are) and how they might be expense in the same event of a website/server hack.

What would someone have to do to gain access of the data?

If someone copied the website as a whole, including the contact form database, would they be able to read the data?

We handle very sensitive information on our website and worry about the security of our clients. Would greatly appreciate a response to this questions.

Thank you!

One would need to have complete access to your database and your webhost directories in order to get at the data that is encrypted and attempt to decrypt it manually by running our plugins decryption functions with the proper keys. It’s worth noting that access like that is a total compromise of your site no matter what in any given scenario because it IS your site in full.

Any copy of the full website/database is subject to the same.

Like most secure site unwanted access, User Logins with data access are going to be your biggest concern. People using weak passwords or unsecure networks when logging in that have data access. Enforcing strong passwords and other login protocol is generally a good idea. You can also only give access when needed in admin settings and otherwise keep all users locked out with a locked settings page (no password removal on uninstall) as well.

Are you planning on supporting the Signature addon for Gravity Forms? After reading about this addon it appears that the signature is saved in the database as an image file. I am apprehensive of using this addon because I do not want to be storing our user’s signature as an image file. What I am hoping for is to encrypt these stored images at rest in our database as another layer of protection.

Currently we have no set plans for signature support but we will definitely look into this to see what can be done for support.

It is worth noting that currently you can use the auto delete feature of our plugin to entirely remove entries from the database with any associated files after the notifications and confirmations go out, so if the entries do not actually require server storage at all you can still keep entry info by storing your e-mailed notification (easy to do as a as a .pdf which can include the signature image ..if you use gravity pdf) locally. this is a currently available feature which keeps ALL info out of your database

by
by
by
by
by
by