An Encrypted Form offers another layer of security on top of the already secured forms and submissions we offer. You may have read about this on our blog, Introducing Encrypted Forms: The Ultimate in Online Form Security.
If you’re here, then you’re probably looking for more info. Be warned that this is way longer than our usual guides, so below is a quick list of all the questions answered here so you can quickly jump to the questions that matter to you:
- Are Forms and Submissions Secure Without the Encryption Feature Enabled?
- What Is the Difference Between a Secure Form and an Encrypted Form?
- How Can I Enable Form Encryption?
- How To Use an Encrypted Form?
- Where Can I Find the Private Key After Downloading It?
- Am I Notified via Email When an Encrypted Submission Comes In?
- How Can I Decrypt the Data From the Email or Through the Submissions Page?
- Does This Mean That I Can Now Ask for Passwords and User Credentials?
- Can I Now Ask for Credit Card Details Without a Payment Processor?
- Can I Share the Private Key With Others?
- Is It Available on the Free Plan?
- Are Keys Created per Form or per Account?
- What Will Happen if I Lose the Private Key?
- What Should I Do if I Lost the Key but Wanted To Keep Encryption Enabled?
- My Browser Opened Some Texts Instead of Downloading the Key – What Is That?
- Can I Still Accept Payments on Encrypted Forms?
- How Can I Turn off the Encryption on My Form?
- Is There Any Difference in Speed if Encryption is Turned On?
- Can I Use Any Integration on Encrypted Forms?
- What Happens To Uploaded Files on Encrypted Forms?
- Some features that are unavailable for Encrypted Forms
Are Forms and Submissions Secure Without the Encryption Feature Enabled?
Your forms and submissions are, as they have always been, secure. If you need an extra level of security, we recommend using the secured URL of your forms as they will cause the forms to be loaded over a secured (encrypted tunnel). Remember, your form URL comes in two varieties:
- HTTP URL: http://www.jotform.com/1234567890
- HTTPS URL: https://www.jotform.com/1234567890
By default, all forms you create now use the SSL (HTTPS) version. So yes, your forms and submissions are secure even without encryption.
Note that if you are not familiar with the feature, or have not heard of RSA algorithms, you’ll most likely not need this feature at all.
What Is the Difference Between a Secure Form and an Encrypted Form?
When you get the embed codes (or the URL) of your secure form, it will use the HTTPS protocol. This means that there’s strong encryption that creates a tunnel between our servers and the people filling out your forms. As they submit the form, the form is also submitted over this same HTTPS (secure) protocol, so with just that, your forms are safe.
While a secure HTTPS form encrypts data in transfer, an encrypted form encrypts the stored data on top of that. There is no way to decrypt the stored submission data without the correct private key (more on this later). For ultimate security, we do not store the private keys on our end when you use encrypted forms.
How Can I Enable Form Encryption?
Enabling the form encryption can be done in the form settings. Please watch the video below or proceed to the below steps.
- In the form builder, click the Settings at the part.
- Go to the Form Settings tab.
- Click the Show More Options button.
- Scroll down, and select Yes from the Encrypt Form Data dropdown.
- As soon as Yes is selected, you will get a modal that will ask you to confirm your Jotform account password. Enter your password, and click the Confirm button.
If you signed up with Google or Facebook, you would have to create a dedicated password for your Jotform account. To do it, you have to reset your password.
Generating the Private Key for You
This is the recommended way if you’re not sure how to create private and public keys since we will make them both for you. Remember, they must be created properly for you to be able to utilize this powerful feature.
Please click the Create encryption keys for me button to get it done and wait for the download button to appear.
In some cases, the download will automatically start. If not, click the Download Private Key button.
Our recommendation is to save it in a place that is easy to find, and you can be sure that it will not be removed. You may also upload it to your cloud storage account. This is an important step since no one will be able to decrypt the data if the private key is lost.
Uploading Your Own Public Key
So, you are a pro at this and would like to generate the private and public key pair yourself? Great!
Within your terminal (Unix-based OS) run the next command to generate a private key file.
openssl genrsa -out rsa_2048_private.pem 2048
Then run the next command to generate a public key file.
openssl rsa -pubout -in rsa_2048_private.pem -out rsa_2048_public.pem
Finally, upload the generated rsa_2048_public.pem key file to JotForm. As soon as you upload the public key, it is added to your account.
How To Use an Encrypted Form?
You use it just as you would any other form in your account. Also, your data is now securely encoded before it is submitted, so do not worry about those strange characters that appear on the form just a moment before the form is submitted – It’s just Podo, going through your data and making sure that they leave that browser in a secure, encrypted way.
Where Can I Find the Private Key After Downloading It?
If you opted to download the key on your default download folder, you would most likely find it on your Downloads folder.
Am I Notified via Email When an Encrypted Submission Comes In?
Yes, you are, but not in the usual way. Instead of seeing the actual submission data, you will receive an email stating that you received an encrypted response. It looks like this:
How Can I Decrypt the Data From the Email or Through the Submissions Page?
When you try to view an encrypted submission, you will be asked to upload your private key. This is where you will use the private key you downloaded earlier. Upload the key, and once you click the Done button, you will automatically see the submission.
If you’re not seeing any modal popup when trying to view an encrypted submission, this could only mean two things:
- Your form is no longer encrypted, that’s why it is not asking you to upload a key. What this means is that if you make some encrypted form as non-encrypted, you will be able to open the submissions without being asked for the private key, while as soon as you turn the encryption on, it will start asking you for the private key. So, if it doesn’t show up, scroll back up to the “How Can I Enable Form Encryption?“ section above and ensure that Encrypt Form Data is set to “Yes”.
- If encryption is enabled, but you are not being prompted to upload your private key (while the data looks encrypted), this means that an incorrect private key file is stored on your browser’s Local Storage. The solution is to clear the local browser storage (this is different from browser cookies) to delete the stored private key file from your browser. Once the local storage is cleared, you will be asked to upload the private key file again on your next attempt.
Does This Mean That I Can Now Ask for Passwords and User Credentials?
Can I Now Ask for Credit Card Details Without a Payment Processor?
No, this is also forbidden and will lead to account termination. User credentials, credit card details, and other sensitive information are not allowed to be collected on JotForm. If you need to process payments, use any of our Payment Processors.
Can I Share the Private Key With Others?
Sure, you can, but ideally, you shouldn’t (unless you trust whom you’re sharing it with). Your goal with encryption is total security, so sharing the key is at your discretion.
Is It Available on the Free Plan?
Yes, of course!
Are Keys Created per Form or per Account?
We are storing public keys per account basis, and Jotform is overwriting the existing public keys when a new key is created. Old private keys can be used for the existing submissions, but new submissions will have to use the new key.
When you choose the Create encryption keys for me option for the first time, we will generate the public and private key pair for you. The public key will be stored at Jotform and the private key will be downloaded by you.
You can choose the I will use my existing keys option when enabling encryption on other forms if you prefer to use the same key. Unless you need different keys for the new submissions, this is the recommended approach.
And, if you choose the Create encryption keys for me option again, it will create a new key pair for your forms.
Remember, we do not store private keys, so you should keep all your private key(s) in a safe and secure place.
What Will Happen if I Lose the Private Key?
If you have lost the private key, then there is not much that you can do. It means that your encrypted data is lost forever, there is no copy of the same on our servers, and it is impossible to crack the one you had. Our only recommendation is to turn off encryption right away so you can start receiving submissions normally again. Leave the encrypted submission data on your Submissions Page just in case you find the key at some later point in time.
Note that if you can see decrypted data in some browsers, but the key is lost, it may be possible to restore the key from that browser’s local storage. If this is the case, contact our support for instructions.
What Should I Do if I Lost the Key but Wanted To Keep Encryption Enabled?
It is possible to generate new keys by disabling the encryption feature and enabling it again. Use the Create encryption keys for me option to generate a new key.
If you’re wondering, no, the new keys will not decrypt the old data.
My Browser Opened Some Texts Instead of Downloading the Key – What Is That?
That is the private key. Depending on your browser’s MIME setting, you might have it set up to open the file in the browser, download/save the file, or pass it on to some application on your computer.
For example, Safari seems to show the file instead of offering a download.
What to do in such cases? Just copy the content, paste it into an empty file, and name it as you wish. Just remember to save it in a safe place and never lose it.
Can I Still Accept Payments on Encrypted Forms?
Yes, you can. The data sent to the payment processor you are using will not be encrypted for further handling. This way, your products/subscriptions/donations, their individual prices, and the total values will never be encrypted.
How Can I Turn off the Encryption on My Form?
Please follow the same steps to access the Encrypt Form Data, and select No, and that’s it!
Is There Any Difference in Speed if Encryption is Turned On?
The loading time of your forms should be the same, but once you hit submit, the form will need to go through each field to encrypt it.
This means that some extra time will be added to the submission of your form, but this would only depend on the number of fields on your form and its complexity, so it will very likely take a bit of time on a form with over 500 fields in it. The encrypted submission data may also take some additional time to load.
Can I Use Any Integration on Encrypted Forms?
Yes and no. While you can create the integration and send the data to it, please note that the data is encrypted on the side of the user submitting the form. Therefore, the same encrypted data will be passed to your integrations.
As such, the data itself is rather useless on the integration end since you will not be able to use it unless you have a way to decrypt the data on the side of that integration. This may be possible using some services, but this is not something we cover.
What Happens To Uploaded Files on Encrypted Forms?
They are handled as is, meaning that any file that gets submitted to your form (a photo, document, etc.) is left unchanged and will be passed as-is. No decryption or additional handling is required to access or view them.
Some of the features that are not available for Encrypted Forms are:
- PDF downloads (PDF document and Fillable PDF Form). You can still view the data in the PDF Editor, but you can only Print it.
- Form Reports (Excel, Grid Listing, HTML Table, RSS, Calendar). CSV download is possible but through Jotform Tables only.
- Form Emails (Notification and Autoresponder).
The Preview Before Submit Widget will create a conflict with the encryption process and the data will not be encrypted. Please do not use this widget on your encrypted forms!
All server-side gathered and processed data can not be retrieved in encrypted forms because your private key is never sent to our servers.
If you have any questions, suggestions, or feedback, please post it in the comment box below. You can also reach us by creating a support ticket.