Here to Help: Securing Your Form with Data Encryption

Written by Jessica Haas on June 8, 2016

Posted in Here to Help, IT + Security

“Here to Help” is a support column written especially for Formstack’s awesome, loyal customers. This post is part of a four-post series on web form security.

If you use (or are planning to use) Formstack to gather and store sensitive, identifying data like social security numbers or credit card information, form encryption is a must! In fact, we take this so seriously that we require you to enable data encryption if you are collecting this type of information with your online forms.

Formstack provides two ways to encrypt your sensitive data:

  1. PGP encryption for data sent via email
  2. Data encryption for data stored in Formstack’s online database

In this post, I’ll cover each in full detail. Read on to find out how to keep your information secure!

PGP Encryption

PGP stands for Pretty Good Privacy, and it’s a widely used computer program that encrypts and decrypts messages sent over the Internet. If you are collecting sensitive information and routing that information via email, you need to set up PGP encryption on your notification emails.

A lot of email applications offer PGP support through third-party PGP programs. Below are the free plugins available for a few popular email applications. More complete lists of free PGP programs for different clients can be found here and here.

To enable PGP email encryption on your form, follow these steps:

  • Go to Settings > Security.
  • Find “Encrypt Notification Emails with PGP” in the Password & Encryption Settings box.

Formstack PGP Encryption

  • Click “Add your PGP public key.”
  • Copy and paste your public key into the Public PGP Key field and click “Save.”

Public Key for Formstack PGP Encryption

To ensure your PGP encryption setup goes smoothly, keep these things in mind:

  • File attachments are not encrypted.
  • If you need to set up PGP encryption in a hurry, the easiest thing to do is to create a free email account at Hushmail and send your notification emails to that address. Hushmail will automatically generate a public PGP key for you within your account.

Data Encryption

Data encryption, in this case, refers to the encryption of data stored in the online Formstack database. This database encryption works by generating public and private keys that are stored with your form and require you to set an encryption password.

The public key encrypts the data saved in the database, the private key decrypts the data, and the password you set encrypts the private key. Your encryption password is not saved on the server in plain text, so no one can access or decrypt the information without knowing your encryption password.

To enable database encryption on your form, follow these steps:

  • Go to Settings > Security.
  • Find “Encrypt Saved Data” in the Password & Encryption Settings box.

Formstack Data Encryption

  • Click “Enable Data Encryption.”
  • When prompted, set your password and click “Enable data encryption.”

Setting Password for Formstack Data Encryption

To ensure your data encryption setup goes smoothly, keep these things in mind:

  • File attachments are not encrypted. However, only those with the associated file upload URL can view the files.
  • It’s extremely important to remember your password. If you lose your password, even Formstack staff cannot access it. We can reset the database, but we will not be able to retrieve your data. Additionally, once you’ve enabled database encryption on your form, it can only be disabled or updated if you know the current password.

To learn more about Formstack’s other web form security features, click below to dive into part one of this security series.