Last updated: Sep 26 2017
Encrypting form submission data
Note: Episerver Forms is only supported by MVC-based websites and HTML5-compliant browsers.
By default, form submission data is stored as plain text. However, in some environments, the law requires data to be encrypted. For this reason, Episerver Forms (version 4.6 and higher) includes a data encryption feature which can help clients meet strict legal requirements. All submission data can be encrypted before being saved into the database and then, decrypted later on.
For data encryption, the algorithm key is the most crucial feature and it needs to be ultimately secured for data safety. Therefore, Episerver Forms uses Azure KeyVault – a new feature of the Azure platform, as the default algorithm key storage, which allows you to separate administrators or IT staff from accessing the key like traditional servers. This significantly improves data security. Without Azure KeyVault, the feature still works well with other kinds of key storage, such as on-premises servers or SQL Server. The article Forms crypto engine explains in detail how you can customize the crypto engine with different kinds of key storage or algorithms.
This topic explains in detail how to enable form data encryption with Azure Keyvault, authorize users to work with it, and how it impacts Episerver Forms.
The default crypto engine of Episerver Forms uses Azure KeyVault to store the symmetric algorithm key. It then retrieves the key from KeyVault and uses it for encryption and decryption. For more information, see:
Data block and key size of symmetric algorithm
Episerver Forms uses the Advanced Encryption Standard (AES) to encrypt and decrypt data. AES has two main concepts:
- Data block size. Episerver Forms follows the standard 128-bit length.
- Key size. Episerver Forms supports three types: 128 bits, 192 bits, and 256 bits.
Azure KeyVault refers to their key as a "secret." To use encryption mode, create a secret on Azure KeyVault. Episerver Forms retrieves your secret key from the KeyVault server and uses it in the encryption engine's symmetric algorithm. The secret should be base-64 encoded, meaning its characters are in the ASCII range of UTF8, and each character is 1 byte. So, the secret should contain only 16 characters for a key size of 128 bits, 24 characters for a key size of 192 bits, and 32 characters for a key size of 256 bits.
To enable form data encryption, follow these steps.
- A secret on Azure KeyVault.
- Installed NuGet package EPiServer.Forms.Crypto.AzureKeyVault.
- Session state is enabled.
- Open the Forms.config file.
- Before the
<providers>section, add a
3. Within the
<providers> element, specify three Azure KeyVault–related parameters for the cryptographic engine.
- ClientId. Application ID registered with Azure Active Directory.
- ClientSecret. The key created for the application in Active Directory.
- KeyIdentifier. The endpoint used for communication with Azure KeyVault. Used to retrieve token access, public key retrieval, and data decryption.
4. Restart your site.
After you complete these steps, all forms data is encrypted before being saved (except system fields).
Sample Forms.config file excerpt:
<add name="DdsEncryptedPermanentStorage" type="EPiServer.Forms.Core.Data.Internal.DdsEncryptedPermanentStorage, EPiServer.Forms.Core"
Note: To return to Episerver Forms default mode that does not encrypt data, set DdsPermanentStorage as the storage element's default provider.
Setting user access rights to encypted form data
When you want certain users to access the Form Submissions view, which lets users see encrypted data and export decrypted data, create a new role and assign to it the privileges eligible to access form data. Those privileges are defined in the minimumAccessRightLevelToReadFormData element of the Forms.config file for the Episerver Forms folder, such as shows in the following example.
Next, assign the role to appropriate users.
From now on, those users can view encrypted data and see an option to export as Decrypted CSV data.
Decryption mode performance issues
Currently, the asynchronous export of decrypted CSV files is not supported. Because encryption is a time-consuming operation, if forms contain a large amount of data and the allowed time is too short, timeouts may occur. To use decryption more efficiently, you should increase your system timeout.
Impact on other functionality
When using encryption mode, all columns must have the string data type (except system columns). As a result, the sort functionality does not work because it is based on numeric data types.
Normally, when a visitor clicks the Next button in a form, data is saved to the database. But in encryption mode, submission data is saved only when a user finalizes a submission, to enhance performance. This is because data must be encrypted before it is saved, and encryption is a resource-consuming operation.
For performance and security reasons, the progress button does not work in encryption mode. If a session expires, users are required to refill form data from the beginning. Old data is removed.