Decryption of downloaded data
If a form has encrypted fields, the download will contain the values of these fields in an encrypted format. An example of a CSV file where the date of birth has been encrypted is shown below.
To decrypt this data, you will need the password (from Sealed Envelope support) and a decryption tool, such as OpenSSL, that can decrypt AES-256. You will also need to extract the encrypted field column into a new file so that the only data on each line is the contents of the encrypted field. You can do this by, for instance, copying and pasting the encrypted column into a text file:
U2FsdGVkX18BH/rs5o6X635KFSi26/5epe+hdfD0gH8= U2FsdGVkX1+rbukCo7HxKWb/Vdv/1uLJDaQY4RW4lCM= U2FsdGVkX1+vKpmwQVOrDDDViSSQFMHJ+wOAkJB4PEg= U2FsdGVkX1/NChFlM5hl297WVjM7nrhqHOXdUwlA4nE= U2FsdGVkX18DYFOIOvZsuJHraQMzDzyoWbrTpT8rcO0=
Once you have obtained the decrypted data, you will probably want to paste it into a new column in the CSV file to allow it to be associated again with the other subject data.
On Windows, we recommend installing OpenSSL for Windows. It's easiest to create a new folder and copy the
openssl.exe file from the download into this new folder. Next, create a batch file by copying and pasting the following code into a text document using Notepad or similar, and save it as
se-decrypt.cmd in the same directory as the
@echo off REM Sealed Envelope batch file to decrypt data using openSSL AES 256 REM Input file is assumed to contain one encrypted item per line set filepath=%~f1 if not exist "%filepath%" ( echo %~n0: file not found - %filepath% >&2 exit /B 1 ) set /P passwd="Password: " echo Decryption of %filepath% at %DATE% > decrypted.txt for /F "tokens=*" %%i in (%filepath%) do @echo %%i | openssl enc -aes-256-cbc -d -a -md sha512 -pbkdf2 -iter 100000 -pass pass:%passwd% >> decrypted.txt
You must run the batch file from the Command Prompt - you should find this somewhere in your Start menu. You need to use the
cd command to move into the folder that contains the
openssl.exe file and your encrypted data file. You can use the
dir command to see the contents of the current folder. Once you are in the correct folder, type the command:
dob-encrypted.txt is the name of the file containing the encrypted data. Running this command will ask for the password and create (or overwrite) the file
decrypted.txt. Screenshots for doing this are shown below.
On macOS, you can use the built-in OpenSSL or install it using Homebrew. You will need to open the Terminal to type the relevant commands. In the example below, the encrypted data is assumed to be in a file called dob-encrypted.txt on the Desktop. A decrypted file is created called dob-decrypted.txt using the password super-secret. Obviously, you should change these parts to reflect your file names and password.
$ cd Desktop $ cat dob-encrypted.txt U2FsdGVkX18BH/rs5o6X635KFSi26/5epe+hdfD0gH8= U2FsdGVkX1+rbukCo7HxKWb/Vdv/1uLJDaQY4RW4lCM= U2FsdGVkX1+vKpmwQVOrDDDViSSQFMHJ+wOAkJB4PEg= U2FsdGVkX1/NChFlM5hl297WVjM7nrhqHOXdUwlA4nE= U2FsdGVkX18DYFOIOvZsuJHraQMzDzyoWbrTpT8rcO0= $ while read in; do echo "$in" | openssl enc -aes-256-cbc -d -a -md sha512 -pbkdf2 -iter 100000 -pass pass:super-secret; done < dob-encrypted.txt > dob-decrypted.txt $ cat dob-decrypted.txt 04/08/1997 11/08/1920 19/02/1987 10/10/1980 10/10/1980 $
cd command is used to move to the folder where the encrypted file is held. You can use the list command
ls to view files in the current folder. The
cat command shows the contents of a file. The decryption is carried out with the command:
while read in; do echo "$in" | openssl enc -aes-256-cbc -d -a -md sha512 -pbkdf2 -iter 100000 -pass pass:super-secret; done < dob-encrypted.txt > dob-decrypted.txt
which you should adapt to use your own password and file names.