Take a look through the most frequently asked questions. If you still have questions about this plugin, feel free to contact us.
General
The configuration is stored in a file at wp-content/gf_encryption_configuration.php
You should keep a copy of this file backed up somewhere. If you ever lose the key that is stored in it then there is no way to decrypt your data.
Yes, Gravity Forms Encryption works with WordPress Multisite. The only limitation at this time is the same encryption key is used for all sites on the multisite.
AES 256 encryption is used with the openssl PHP extension to encrypt the data. It uses a 32 byte (256 bit) key as the encryption passphrase.
Gravity Forms Encryption requires PHP 7.2 or later with the openssl PHP extension.
Since encrypted entries are removed from the notifications, you may want to link to the entry in your notification so it can be quickly viewed without finding it in the admin. You can use the {entry_url} in your Gravity Forms notification so it look like:
{all_fields}
{entry_url}
We current support these field types.
– Standard Fields
— Single Line Text
— Paragraph Text
— Dropdown
— Number
— Checkboxes
— Radio Buttons
— Hidden
– Advanced Fields
— Name
— Date
— Time
— Phone
— Address
— Website
— Email Field
— File Upload
— List
— Multi Select
If you need to encrypt another field type, please Contact Us with details on what you need.
Files are encrypted after upload and are stored in the same location an unencrypted file upload would be stored. Which defaults to a directory under wp-content/uploads/gravity_forms
The encrypted files are stored with a randomly generated string of characters to not reveal anything about what the file is.
The original filename is stored encrypted in the database along with the Entry so when downloading the file it will preserve the original name.
It is currently not possible to search for data in encrypted fields, your search must be limited to the unencrypted fields.
By default, our system prioritizes data security. When an email notification is triggered that includes fields marked as Encrypted, the system hides the actual data and replaces it with a placeholder.
We offer an option to override this security measure.
For specific notifications using the “Show Decrypted Values in Email” checkbox in the notification settings.
For specific fields using the “Show Decrypted Value in Notification” checkbox in the form setting.
Security Warning
Please read before enabling.
Email is inherently an insecure medium. When you enable Show Decrypted Values features:
Encryption is removed: The data is decrypted from the WordPress database and sent as plain text over the internet.
Permanent Record: Copies of this email may be stored in plain text on email servers, ISP logs, and the recipient’s device.
Risk of Exposure: If the recipient’s email account is compromised, this sensitive data will be exposed.
Recommendation: Only enable this feature if the specific data fields are not strictly confidential, or if your organization has verified that the email environment (sender and receiver) utilizes strict transport encryption (TLS) and access controls.
Yes, you can use the constant CROSSPEAK_GRAVITYFORMS_ENCRYPTION_KEY
Such as:
define( ‘CROSSPEAK_GRAVITYFORMS_ENCRYPTION_KEY’ ‘OGYxt4/8Pzd593tKAR4bLnSK6EsC0hWzvGm6OwQeXVU=’ );
They key must be a base64 encoded version of a 32 byte key.
You can get the generated key from wp-content/gf_encryption_configuration.php
Copy the generated key from wp-content/gf_encryption_configuration.php file and put it in your environment variable.
You can use the CROSSPEAK_GRAVITYFORMS_ENCRYPTION_KEY constant to set your encryption key.
For example, in your wp-config.php use:
define( ‘CROSSPEAK_GRAVITYFORMS_ENCRYPTION_KEY’ env( ‘GF_ENCRYPTION_KEY’ ) );
Yes, webhooks will continue to work as normal. The data is sent to the webhook unencrypted.