An Encrypted Form offers another layer of security on top of the already secured forms and submissions we offer. You may have read about this on our blog, Introducing Encrypted Forms: The Ultimate in Online Form Security.
If you’re here, then you’re probably looking for more info. Be warned that this is way longer than our usual guides so below is a quick list of all the questions answered here so you can quickly jump to the questions that matter to you:
- Are Forms and Submissions Secure Without the Encryption Feature Enabled?
- What Is the Difference Between a Secure Form and an Encrypted Form?
- How Can I Enable Form Encryption?
- How To Use an Encrypted Form?
- Where Can I Find the Private Key After Downloading It?
- Am I Notified via Email When an Encrypted Submission Comes In?
- How Can I Decrypt the Data From the Email or Through the Submissions Page?
- Does This Mean That I Can Now Ask for Passwords and User Credentials?
- Can I Now Ask for Credit Card Details Without a Payment Processor?
- Can I Share the Private Key With Others?
- Is It Available on the Free Plan?
- Are Keys Created per Form or per Account?
- What Will Happen if I Lose the Private Key?
- What Should I Do if I Lost the Key but Wanted To Keep Encryption Enabled?
- My Browser Opened Some Texts Instead of Downloading the Key – What Is That?
- Can I Still Accept Payments on Encrypted Forms?
- How Can I Turn off the Encryption on My Form?
- Is There Any Difference in Speed if Encryption is Turned On?
- Can I Use Any Integration on Encrypted Forms?
- What Happens To Uploaded Files on Encrypted Forms?
- Some features that are unavailable for Encrypted Forms
Are Forms and Submissions Secure Without the Encryption Feature Enabled?
Your forms and submissions are, as they have always been, secure. If you need an extra level of security we recommend using the secured URL of your forms as they will cause the forms to be loaded over a secured (encrypted tunnel). Remember, your form URL comes in two varieties:
- HTTP URL: http://www.jotform.com/1234567890
- HTTPS URL: https://www.jotform.com/1234567890
All forms you create now use the SSL (HTTPS) version by default. So yes, your forms and submissions are secure even without encryption.
Note that if you are not familiar with the feature, or have not heard of RSA algorithms, then you’ll most likely not need this feature at all.
What Is the Difference Between a Secure Form and an Encrypted Form?
When you get the embed codes (or the URL) of your secure form, it will use the HTTPS protocol. This means that there’s a strong encryption that creates a tunnel between our servers and the people filling out your forms. As they submit the form, the form is also submitted over this same HTTPS (secure) protocol, so with just that, your forms are safe.
While a secure HTTPS form encrypts data in transfer, an encrypted form encrypts the stored data on top of that. There is no way to decrypt the stored submission data without the correct private key (more on this later). For ultimate security, we do not store the private keys on our end when you use encrypted forms.
How Can I Enable Form Encryption?
On your Form Builder, go to Settings > Form Settings > Show More Options, then toggle the Encrypt Form Data option to “Yes”.
As soon as you toggle it to “Yes”, you will get a modal popup (shown below) that will ask you to add your own public key or to have one generated for you, so we will go through both options.
Generating the Private Key for You
This is the recommended way if you’re not sure how to create private and public keys since we will make them both for you – Remember, they must be created properly for you to be able to utilize this powerful feature.
To get it done, just click the Create encryption keys for me button.
You will see it rotating a bit.
And then, you will be prompted to save the key.
If you’re not prompted to download it, don’t worry because we got that covered. You can just click on the Download Private Key button and that’s it.
Our recommendation is to save it in a place that is both easy to find, and you can be sure that it will not be removed. This is an important step since no one will be able to decrypt the data if the private key is lost.
Uploading Your Own Public Key
So, you are a pro at this and would like to generate the private and public key pair yourself – Great! 😉
Within your terminal (Unix-based OS) run the next command to generate a private key file.
openssl genrsa -out rsa_2048_private.pem 2048
Then run the next command to generate a public key file.
openssl rsa -pubout -in rsa_2048_private.pem -out rsa_2048_public.pem
Finally, upload the generated rsa_2048_public.pem key file to JotForm.
As soon as you upload the public key, it is added to your account.
How To Use an Encrypted Form?
You use it just as you would any other form in your account. The only visual difference is a small green lock icon beside the submit button. Also, your data is now securely encoded before it is submitted, so do not worry about those strange characters that appear on the form just a moment before the form is submitted – It’s just Podo, going through your data and making sure that they leave that browser in a secure, encrypted way.
Where Can I Find the Private Key After Downloading It?
On a Windows PC, it’s most likely in the Downloads folder. So all you need to do to access it is to either type this into the File Explorer’s address bar:
If you’re a Mac user, check the Downloads folder.
Am I Notified via Email When an Encrypted Submission Comes In?
Yes, you are, but not in the usual way. Instead of seeing the actual submission data, you will receive an email stating that you received an encrypted response. It looks like this:
How Can I Decrypt the Data From the Email or Through the Submissions Page?
When you try to view an encrypted submission, you will be asked to upload your private key. This is where you will use the private key you downloaded earlier.
As soon as you’re done uploading it, it will show a success message.
Once you click on the (X) at the top right corner of the modal popup, it will decrypt the data.
If you’re not seeing any modal popup when trying to view an encrypted submission, this could only mean two things:
- Your form is no longer encrypted, that’s why it is not asking you to upload a key. What this means is that if you make some encrypted form as non-encrypted, you will be able to open the submissions without being asked for the private key, while as soon as you turn the encryption on, it will start asking you for the private key. So, if it doesn’t show up, scroll back up to the “How Can I Enable Form Encryption?“ section above and ensure that Encrypt Form Data is set to “Yes”.
- If encryption is enabled, but you are not being prompted to upload your private key (while the data looks encrypted), this means that an incorrect private key file is stored on your browser’s Local Storage. The solution is to clear the local browser storage (this is different from browser cookies) to delete the stored private key file from your browser. Once the local storage is cleared, you will be asked to upload the private key file again on your next attempt.
Does This Mean That I Can Now Ask for Passwords and User Credentials?
Can I Now Ask for Credit Card Details Without a Payment Processor?
No, this is also forbidden and will lead to account termination. User credentials, credit card details, and other sensitive information are not allowed to be collected on JotForm. If you need to process payments, use any of our Payment Processors.
Can I Share the Private Key With Others?
Sure you can but ideally, you shouldn’t (unless you trust whom you’re sharing it with). Your goal with encryption is total security so, sharing the key is upon your discretion.
Is It Available on the Free Plan?
Yes, of course! 😊
Are Keys Created per Form or per Account?
We are storing public keys per account basis and Jotform is overwriting the existing public keys when a new key is created. Old private keys can be used for the existing submissions, but new submissions will have to use the new key.
When you choose the Create encryption keys for me option for the first time, we will generate the public and private key pair for you. The public key will be stored at Jotform and the private key will be downloaded by you.
You can choose the I will use my existing keys option when enabling encryption on other forms if you prefer to use the same key. This is the recommended approach unless you need different keys for the new submissions.
And, if you choose the Create encryption keys for me option again, it will create a new key pair for your forms.
Remember, we do not store private keys, so you should keep all your private key(s) in a safe and secure place.
What Will Happen if I Lose the Private Key?
If you have lost the private key, then there is not much that you can do. It means that your encrypted data is lost forever, there is no copy of the same on our servers and it is not possible to crack the one that you had.
Our only recommendation is to turn off encryption right away so you can start receiving submissions normally again. Leave the encrypted submission data on your Submissions Page just in case you find the key at some later point in time.
Note that if you can see decrypted data in some browser, but the key is lost, it may be possible to restore the key from that browser’s local storage. If this is the case, contact our support for instructions.
What Should I Do if I Lost the Key but Wanted To Keep Encryption Enabled?
It is possible to generate new keys by disabling the encryption feature and then enabling it again. Use the Create encryption keys for me option to generate a new key.
In case you’re wondering, no, the new keys will not decrypt the old data.
My Browser Opened Some Texts Instead of Downloading the Key – What Is That?
That is the private key. Depending on your browser’s MIME setting you might have it set up to open the file in the browser, to download/save the file, or to pass it on to some application on your computer.
For example, Safari seems to show the file instead of offering a download.
What to do in such cases? Just copy the content and paste it into some empty file and name it as you wish. Just remember to save it in a safe place and never lose it.
Can I Still Accept Payments on Encrypted Forms?
Yes, you can. The data sent to the payment processor you are using will not be encrypted for further handling. This way, your products/subscriptions/donations, their individual prices, and the total values will never be encrypted.
How Can I Turn off the Encryption on My Form?
On your Form Builder, go to Settings > form settings > show more options, then toggle the Encrypt Form Data option to “No”.
Is There Any Difference in Speed if Encryption is Turned On?
The loading time of your forms should be the same, but once you hit submit, the form will need to go through each field to encrypt it.
This means that some extra time will be added to the submission of your form, but this would only depend on the number of fields on your form and its complexity, so it will very likely take a bit of time on a form with over 500 fields in it. The encrypted submission data may also take some additional time to load.
Can I Use Any Integration on Encrypted Forms?
Yes and no. While you can create the integration and send the data to it, please note that the data is encrypted on the side of the user submitting the form. Therefore, the same encrypted data will be passed to your integrations.
As such, the data itself is rather useless on the integration end since you will not be able to use it unless you have a way to decrypt the data on the side of that integration. This may be possible using some services, but this is not something we cover.
What Happens To Uploaded Files on Encrypted Forms?
They are handled as is, meaning that any file that gets submitted to your form (a photo, document, etc.) is left unchanged and will be passed as-is. No decryption or additional handling is required to access or view them.
Some of the features that are not available for Encrypted Forms are:
- PDF downloads (PDF document and Fillable PDF Form). You can still view the data in the PDF Editor, but you can only Print it.
- Form Reports (Excel, Grid Listing, HTML Table, RSS, Calendar). CSV download is possible but through Jotform Tables only.
- Form Emails (Notification and Autoresponder).
Caution: The Preview Before Submit Widget will create a conflict with the encryption process and the data will not be encrypted. Please do not use this widget on your encrypted forms!.
All server-side gathered and processed data, can not be retrieved in encrypted forms because your private key is never sent to our servers.
Comments and suggestions are welcome below. If you have a question, post it in our Support Forum so we can assist you.