Skip to content

E2EE on LiberaForms: Answer Sharing

On the first E2EE implementation on LiberaForms we lost temporarily the ability to Share Answers with other LiberaForms users.

That is, of course, one of the nicest features we have, so it needed to be restored swiftly!

Scouting the terrain

First of all, we recognised that there was an awkward code-disconnect and feature disparity between sharing the form's answers in a read-only fashion (adding Readers), and sharing the form by adding Editors who can also manage form questions, remove answers and change form options.

This made for a somewhat confusing experience, and also meant that we had to take care of answer sharing twice (once for Readers, once for Editors).

Instead, we decided to unify code paths, which not only allowed us to enhance the state of affairs, it means we only take care of the feature once :-).

Designing the feature

Before coding away, we sketched a plan including the design of the feature in a broad fashion.

The first round of implementation used an Editor's keys to encrypt answers, which is suboptimal for Answer Sharing.

Instead we created a Form key that is dedicated to protecting Form Answers, while relegating per-user keys to protecting Form Keys.

This doesn't change much when there is just a User with access to Form Answers, but it enables us to share Answers with Another User, by sharing the Form Key in a secure fashion.

This is done by encrypting the Form Key, with Another User's personal key, and uploading that to the server.

Given that a User's personal keys never leave their browsers to the server, this means that the server still has no access to the answers.

It has the plus of working as a reasonable Form Key backup, to ease key management for Users.

The feature in action

User submitting an answer

Note that this is happenning before editor1 configures E2EE, and obtains access to the form.

editor1 configures keys

Note that editor1 configures a password for their key.

Adding editor1 to the form

editor1 reads answers

When trying to access the Form's answers, LiberaForms will help the user restore the Form key locally, by unlocking it with their private key locally.

The data is never seen by the server.

Limitations

We are in the process of documenting them (see this and this), and there might be more, we'll solve as many as possible before releasing the feature; but these are the highlights:

  • Password-protected encryption keys are not really supported (has improved!)
  • Sharing a form's encrypted answers is unsupported at this stage
  • It is way too easy to replace an editor's keys, losing all answers!
  • The E2EE key management UI is a bit quirky (has improved!)

How can I have a sneak preview?

Just remember not to use this version and feature on any instance where you care about your data, we will work with this assumption when adapting database migrations between this unreleased version and the first released version that implements E2EE.

With that disclaimer out of the way: you just install/upgrade LiberaForms as usual, except you do it against the develop branch at farga.eXO.cat.

Everything else stays the same!

If you do try this out, let us know, but keep in mind we'll be finishing this in a very short time-frame!

What's next here?

Well, now we are ready to start to polish the Key Management UI and to fix all the bugs that are waiting to be found :-). The focus on getting the feature 'Production Ready' will be on usability and reasonably informing Users of what this all means (documentation).

On release, LiberaForms will have this feature enabled but not as a default. Editors will be able to enable it at their own risk, and Server Admins will be able to disable the feature, make it a default, or force it on their server.

Let us know how this looks to you, your feedback is very appreciated!