Encryption
ALTCHA’s Encryption Shield is an automatic, user-friendly encryption system built on the asymmetric RSA algorithm. It secures all employee and customer data, including file attachments.
It adds a sophisticated layer of protection to your data, making any potentially leaked data unreadable without the corresponding key.
Why is Encryption Important?
Data breaches happen frequently, regardless of your company’s size1. Under the GDPR, it is your legal obligation to protect employee and customer data sufficiently to minimize the impact of potentially leaked data. Failure to do so can result in fines and reputational damage.
ALTCHA Forms offers an effective solution to data protection using its unique, automatic end-to-end encryption.
How is Data Encrypted?
The Encryption Shield uses asymmetric RSA encryption with public and private keys. The server retains the public key, while the user holds the private key.
-
Form Data:
Submitted form data is encrypted on the server after validation and processing, and stored encrypted in the database, protecting data from potential breaches. -
File Attachments:
File attachments are encrypted on the user’s device before being sent to the cloud, employing true end-to-end encryption.
User Responsibilities
- Users are responsible for storing and protecting their private keys.
- Users must securely share the private key with coworkers or team members who need data access.
At-Rest vs. End-to-End Encryption
Most systems and cloud services employ “at-rest encryption,” which secures data on persistent storage devices like hard drives.
“At-rest encryption” is not the same as end-to-end encryption used by ALTCHA Forms. In at-rest encryption, the server holds the encryption key, which can be accessed by attackers.
With end-to-end encryption, an attacker would need access to both the database and your encryption keys, which should be stored securely on a flash drive or similar method.
Enabling and Configuring Encryption
To enable ALTCHA’s Encryption Shield:
-
Enable Encryption:
Ensure encryption is enabled in your account settings. -
Generate a New Encryption Key:
Navigate to Account Settings -> Encryption Keys and generate a new encryption key.- The new encryption key will be generated automatically and securely on your device.
- Download the private key in
.pem
format and store it securely on a flash drive or similar medium.
-
Multiple Keys:
You can create multiple encryption keys and assign them to different forms.
Accessing Encrypted Data
To decrypt and read the data, users need to import the private encryption key in their browser:
-
Navigate to Import Key:
Go to User Profile -> Encryption Keys. -
Import the Key:
Import the.pem
file containing the private key.
It is acceptable to share the private key .pem
with coworkers and team members who need data access. Ensure you share the key securely.
Device Storage Encryption
Imported encryption keys are stored on the user’s device in localStorage
for ease of use. The storage is encrypted with symmetric AES encryption:
-
Generation:
The storage encryption key is randomly generated by the server when the device is first registered. -
Authentication:
The storage encryption key is provided to the device upon successful authentication and kept only in memory while authenticated, preventing leakage of the private encryption keys if the device is compromised.
Footnotes: