Skip to content

End to End Encryption pre-release progress

It's been two months since we first announced an E2EE preview available at dev.liberaforms.org

We've made good progress since then:

  • Step-by-step personal key creation
  • Adds an E2EE demo
  • Easy 'Delete all' and 'Restore' keys options
  • The UI prompts for key restoration when required
  • Key resoration handles passphrase
  • Key's are stored in the browser's localStorage and sessionStorage correctly
  • Simplifies form key creation
  • Adds option to copy the form's private key
  • Finishes unifying editor and reader form sharing code
  • Sharing E2EE forms UI gracefully handles different form user E2EE states

User documentation has somewhat fallen behind. Some work has been done but needs love and care.

Known bug. Form user E2EE status is incorrect when the personal keys have be purposefully overwritten.

Feel free to try it out at dev.liberaforms.org and give us some feedback! :)

Step-by-step personal key creation

Understanding E2EE can be challenging for new users.

We have made an effort to make the personal key generation process unambiguous.

After creating the keys the user can play with a demo that helps to understand how E2EE works.

Delete keys

We've added a one-click link to delete all keys on the browser, both localStorage and sessionStorage.

localStorage and sessionStorage

Unlocked personal keys are never stored in localStorage unless explicitly requested by the user.

Personal keys with a passphrase are stored as locked in localStorage when requested by the user. This means that only the passphrase is required to use the key.

Unlocked form keys are never stored in localStorage.

Form key creation

We've reduced this down to just one click. [ enable | disable ]

When enabled for the first time:

  • Form keys are generated (without passphrase)
  • Editor's ciphered form key data is generated
  • E2EE is toggled to 'Enabled'

The form's public key and the ciphered form keys are persisted on the server.

Just as before, the form's private key is unknown by the server.

Form private key

An E2EE form's API endpoint is only useful if you can decrypt the answers.

We've added an option to copy the form's private key, view the fingerprint, and included an example script to decrypt the answers.

Sharing E2EE forms

The UI makes sharing E2EE forms easier and displays the E2EE status of each user.

Data-display picks up on missing E2EE configurations and guides users to take appropriate actions.