+ Start a Discussion
CaffeineCaffeine 

Encrypting text. Creating secure notes using VisualForce

Hello all,

I'm working on a project to give users the ability to create secure notes on any object.  The design is going fine except for the last piece: how to encrypt or obfuscate the note so that even administrators browsing cannot read them.

 

Apex does not do encryption (only hashing), so I have to come up with a method for obfuscating the note.  

 

I can do this with JavaScript, but how do I:

1. Obfuscate some text in JavaScript and then save it back to a salesforce field?

 

A secondary question, is there any other way anyone can think of to do this other than javascript?

 

Thanks,

C.

shillyershillyer

Could you use Encrypted Text Fields? Only users with "View Encrypted Data" perm can see the value, I believe Sys Admins won't have this on by default.

 

Hope that helps,

Sati

JeremyKraybillJeremyKraybill

While Apex doesn't expose a native encryption API, it has all the features required to implement many modern encryption algorithms. For security I would personally opt for doing that rather than in JavaScript, and I would give each user a unique key stored in their user record. If you really don't trust your admins with this data, though, and they have "Login as" privileges, it's going to be hard to genuinely prevent them from getting at the data without externalizing some sort of key, like an additional data password the user is prompted for when they want to decrypt their data.

 

But if you just want to obfuscate the data, you could write up a simple substitution cipher in Apex or Javascript in minutes.

 

If you want to go the JS route, you could have a button next to a textarea field which calls the JS function to encrypt the text inline.

 

HTH

 

Jeremy Kraybill

Austin, TX

CaffeineCaffeine

Jeremy,

Thanks for the post, but I'm puzzled over one piece of what you wrote.  Which features does APEX have that lend it to creating encryption algorithms?  I have a background in security and cryptopgraphy, but I can't seem to even get an ASCII code for a text character in APEX.

 

Thanks,

C.

JeremyKraybillJeremyKraybill

Well by "features" I meant just the core API and operators are sufficient to support implementing encryption. You would need to code an ASCII lookup table since there is no char/byte field, for instance, and if you were doing higher-end stuff that needs primes you would have to code your own BigInteger-like implementation, but certainly there is enough there to implement encryption, and doing simple ciphers would be trivial.

 

HTH

 

Jeremy Kraybill

Austin, TX