Decryption of downloaded data

If a form has encrypted fields the download will contain the values of these fields in an encrypted format. An example of a CSV file where the date of birth has been encrypted is shown below.

Viewing CSV file with encrypted field in spreadsheet

Encrypted field contents in downloaded CSV file

To decrypt this data you will need the password (from Sealed Envelope support) and a decryption tool such as OpenSSL that can decrypt AES-256. You will also need to extract the encrypted field column into a new file so that the only data on each line is the contents of the encrypted field. You can do this by, for instance, copying and pasting the encrypted column into a text file:

U2FsdGVkX18BH/rs5o6X635KFSi26/5epe+hdfD0gH8=
U2FsdGVkX1+rbukCo7HxKWb/Vdv/1uLJDaQY4RW4lCM=
U2FsdGVkX1+vKpmwQVOrDDDViSSQFMHJ+wOAkJB4PEg=
U2FsdGVkX1/NChFlM5hl297WVjM7nrhqHOXdUwlA4nE=
U2FsdGVkX18DYFOIOvZsuJHraQMzDzyoWbrTpT8rcO0=

Encrypted column pasted into file dob-encrypted.txt

Once you have obtained the decrypted data you will probably want to paste it into a new column in the CSV file to allow it to be associated again with the other subject data.

Windows

On Windows, we recommend installing OpenSSL for Windows. It’s easiest to create a new folder and copy the openssl.exe file from the download into this new folder. Next create a batch file by copying and pasting the following code into a text document using Notepad or similar and save it as se-decrypt.cmd in the same directory as the openssl.exe file. Alternatively download a copy.

@echo off

REM Sealed Envelope batch file to decrypt data using openSSL AES 256
REM Input file is assumed to contain one encrypted item per line

set filepath=%~f1

if not exist "%filepath%" (
  echo %~n0: file not found - %filepath% >&2
  exit /B 1
)

set /P passwd="Password: "
echo Decryption of %filepath% at %DATE% > decrypted.txt
for /F "tokens=*" %%i in (%filepath%) do @echo %%i | openssl enc -aes-256-cbc -d -a -md md5 -pass pass:%passwd% >> decrypted.txt

se-decrypt.cmd

You must run the batch file from the Command Prompt - you should find this somewhere in your Start menu. You need to use the cd command to move into the folder that contains the openssl.exe file and your encrypted data file. You can use the dir command to see the contents of the current folder. Once you are in the correct folder type the command:

se-decrypt.cmd dob-encrypted.txt

where dob-encrypted.txt is the name of the file containing the encrypted data. Running this command will ask for the password and create (or overwrite) the file decrypted.txt. Screenshots for doing this are shown below.

Command prompt

Moving to the correct folder and running the se-decrypt command

Folder contents

Contents of the decryption folder after decryption

Decrypted file

Viewing the decrypted data

Mac

On macOS you can use the built in OpenSSL or install it using Homebrew. You will need to open the Terminal to type the relevant commands. In the example below the encrypted data is assumed to be in a file called dob-encrypted.txt on the Desktop. A decrypted file is created called dob-decrypted.txt using the password super-secret. Obviously you should change these parts to reflect your file names and password.

$ cd Desktop
$ cat dob-encrypted.txt
U2FsdGVkX18BH/rs5o6X635KFSi26/5epe+hdfD0gH8=
U2FsdGVkX1+rbukCo7HxKWb/Vdv/1uLJDaQY4RW4lCM=
U2FsdGVkX1+vKpmwQVOrDDDViSSQFMHJ+wOAkJB4PEg=
U2FsdGVkX1/NChFlM5hl297WVjM7nrhqHOXdUwlA4nE=
U2FsdGVkX18DYFOIOvZsuJHraQMzDzyoWbrTpT8rcO0=
$ while read in; do echo "$in" | openssl enc -aes-256-cbc -d -a -md md5 -pass pass:super-secret; done < dob-encrypted.txt > dob-decrypted.txt
$ cat dob-decrypted.txt
04/08/1997
11/08/1920
19/02/1987
10/10/1980
10/10/1980
$

The cd command is used to move to the folder where the encrypted file is held. You can use the list command ls to view files in the current folder. The cat command shows the contents of a file. The decryption is carried out with the command:

while read in; do echo "$in" | openssl enc -aes-256-cbc -d -a -md md5 -pass pass:super-secret; done < dob-encrypted.txt > dob-decrypted.txt

which you should adapt to use your own password and file names.

Page updated 5 Jan 2019