Formit send encrypted

I need to send the contents of of a form so that it’s encrypted. How do I do this with Formit?

I’m not even sure I’m asking the right questions - I’m not currently using SMTP but do I need to, to ensure encryption?

Sorry I’m a little vague on this one.

1 Like

Looks like this will work:

formEncrypt 	If is set to '1' (true) the submitted form will be encrypted before saving inside the DB. 

https://docs.modx.com/extras/revo/formit/formit.hooks/formit.hooks.formitsaveform

Now this says it will save the form encrypted…I assume that’s what you want?

As far as encryption for the email itself…I am less sure

Sounds like you may need to ask for clarification what the client means when they ask you about encryption :wink:

You can send emails over TLS with SMTP, depending on your mailserver. I don’t think there’s currently support for sending encrypted email contents (i.e. PGP) available.

Could also consider a custom hook that writes any sensitive information to some kind of encrypted file and attaches that with a password, or only making that available from within the site rather than emailing it over the unprotected web.

1 Like

I’m trying to understand how it all works but basically I don’t want to save the form, I want to send it to an email address. The website is protected by SSL so my understanding is that anything entered on the form will be ‘safe’ but I’m unsure if the data will be safe as it re-routes from server to server and then to the client’s emil program. Am I making sense? Am I worrying too much? The client is basically saying to me: “I want to know that the data captured on the form is as safe as it can possibly be”.
I found the following explanation that seems to say to me I don’t have to worry but I’m not sure:

"Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server, they can see and use that information."

1 Like

Sounds about right.

That’s indeed the tricky thing about email. You can connect to the outgoing mailserver using TLS (more or less equivalent to SSL, TLS is newer), but I don’t think it’s possible to ensure every hop along the way also uses TLS. Plus every server in the middle can access all metadata and contents of whatever you’re sending.

Maybe, if you send emails from MODX by connecting directly to the the recipient mailserver with SMTP (rather than, say, an email service or sending local email from the webserver), you might not have any hops in the middle, but I’m not 100% sure if that works.

To encrypt the content so that mailservers in the middle can’t read the content (they’d still have access to the metadata), you need something like PGP… which is not necessarily the most non-tech user friendly thing. And not supported in MODX as far as I’m aware (though would be very happy to be proven wrong).

What is considered “secure enough” depends on what you’re expecting to send. A health care operator that sends email containing privileged patient information would require more precautions than a business only taking in contact requests, for example.

1 Like

Thank you Mark. Yes, this is tricky and certainly made me question how this all works - especially the ‘hops in the middle’. I think PGP is going to be a nightmare. I’ll do some research on SMTP but leave this post open in case anyone else has more experience.

1 Like