Encrypt database

Hello again! There’s no way you can implement what you want within Bubble.

I can look at this tomorrow for you, it should be fairly simple but then I always say that :laughing:

That would be great @NigelG! I am curious to understand how you do this.

Sorry @vini_brito for not seeing your message. Do you know what is the easiest way to set this up outside bubble? Using Firebase, AWS, Digital Ocean, Caspio, etc… I basically want to encrypt the data before sending it to the database and then decrypt it when I retrieve it.

It’s tricky, not something trivial. For example, this app (completely unrelated to Bubble!) does it: https://standardnotes.org/help/3/how-does-standard-notes-secure-my-notes

I don’t have the expertise to pull that. I think you’d need a different set of tools to build that.

There may be a way to do all this securely. Back in march, we had the following discussion: Base64-encoded HMAC-SHA256 signature?

I have not tested this out, but this may be an answer for you and anyone else.

Step one: Setup Server Side Script to call encryption

  • In the thread Base64-encoded HMAC-SHA256 signature?, we were using the Toolbox to create a server side script to encrypt a string of text. At the time, bubble’s servers did not have the libraries to call node npm, but I think that got fixed and they can. Here’s a list of potential functions you may be able to make: https://www.npmjs.com/package/aes256
  • Can someone else advice if we can now use var crypto or var aes256 in toolbox or bubble’s server script api? Can we now do this in bubble as I beleive they allow us to now call common np libraries (or I may be wrong)
  • Test what we tried in the above thread with a simple password. You should be able to encrypt and decrypt a text string in your database if successful. Just use a simple password to start
  • From my understanding, server side processes in bubble (API / Scripts) are more secure than running operations in the browser

Step Two: Setup a password vault to securely store your secret password outside bubble

  • Never store passwords in your database, always keep them separate
  • Check this article from Digital Ocean: https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04
  • Follow this DO guide, it’s easy to setup an unbuntu server (and cheap - 5$ a month) on DO.
  • Also Check out Hashicorp’s website, they have an awesome password / secrets vault that you should be able to API into to obtain a password to encrypt / decrypt your data within bubble. I think they even offer their own cloud password service so you wouldn’t need to get a ubuntu server up and running.

Try the above out. We’lll get @vini_brito and @NigelG to weigh in their thoughts

Don’t forget what I tell earlier. Even if you find a way to encrypt data outside of Bubble (or even in Bubble DB)… you will have an security issue with the “log in as…” function. You will need to think about another security layer to know if the user come from Backend or is a “real” authenticated user…
Also,
I’m not sure that you will be able to avoid data to appear in the Bubble logs…

2 Likes

I knocked this up in a SS plugin …

function(properties, context) {
    console.log('Starting up');
    
// Create a key 
    const key = 'real secret keys should be long and random';
 
// Create an encryptor:
	const encryptor = require('simple-encryptor')(key);

    return context.async( async function(cb) {
        // Normal Code Here
	    // console.log('Running convert');
        
        encryptor.encrypt('testing', function(error, output, response) {
            if (error) console.log( 'Error: ', error );
            // console.log( 'ok ' + output );
            cb(null);
        });
    });  
     
} 

It parses, but fails to run. Will port it back into a local node instance to see why it doesn’t work. But suspect is an issue with passing the callback. I can never work out how to do that in Bubble properly :frowning:

Will try a webtask to check it works, and then we can look at fixing it in bubble first.

1 Like

I think that the logs would only see the encrypted values (as only the front end runs the encrypt/decrypt) but I guess it depends on if the plugin inputs get shown in the log …

2 Likes

Right, here is a webtask URL that does what is needed. You really don’t want to pass every single bit of text externally !! But it can be used to prove a point.

https://wt-nigel_godfrey-gmail_com-0.sandbox.auth0-extend.com/encrypt?input=secret

https://wt-nigel_godfrey-gmail_com-0.sandbox.auth0-extend.com/decrypt?input=bd7a1d49f4dcca856f3dec44fecf7486a65e2ac1f9a8ace4b02552049b23a6bd3d16954a9a18e5fea0d7481e16f7684dS1VKn2P7dJHO4FM4CCVgPQ==

Here is the code. …

// Specify a string key:
var key = 'real secret keys should be long and random';
// Create an encryptor:
var encryptor = require('simple-encryptor')(key);
module.exports = function(context, cb) {
cb(null, encryptor.encrypt(context.query.input));
}

I have no idea why webtask takes a couple of minutes to get working, and bubble’s server side plugin editor is such a torturous route it is really really simple.

1 Like

The issue here is that, as soon as the decrypted information hits the browser, the Bubble page can send it back unencrypted to someone with edit access to the app, thus violating the “not even WE can see your data!” thing.

If someone with edit access wants, they can just run a “phone home” code at the page with the information they collected and no one will ever even know this is going on.

The other problem is that somehow you’ll have to handle both keys of the encryption, and with that you have the power to decrypt stuff.

It’s tricky to reach THAT level of privacy through encryption.

NINJA EDIT: You can tell the user to do his own manual encryption offline, but then the user would be better off with other more “underground” or p2p apps or just using facebook chat to transport his manually encrypted texts.

2 Likes

This is a long term project and Webtask doesn’t take any more clients. I’m just wondering if the easiest option is to save all data in AWS except for login data (saved at Bubble). Have some service at AWS that encrypts and decrypts (Lamba) the data using an API connected to Bubble?
I have no idea how to do this but It feels as the best longterm profesional option, an option I would be ready to pay if necessary. If someone can help me with any freelancing and any interest in taking on this project please contact me.

Thanks

Yes, and you would not want to do it externally either.

But what you can build in webtask you can build in a Server Side plugin - except that Bubble make it really difficult.

That was just intended to be a proof of concept.

2 Likes

I have this set up working with a Lambda function. I can check it out on Monday if you are willing to wait. I havent used it a lot but i think it works fine

2 Likes

Yes of course. But please be patient with me, I am a non developer. I really need to understand how to set this up from start to finish for dummies.

Thanks

Hi @boostsalesgroup , were you able to look into this?

Thanks

Hey1 I have this script working as a AWS Lambda function.
You need to create a AWS API Gateway endpoint and send your parameters there.

 const crypto = require('crypto')

    function encrypt(text, password){
    
    const cipher = crypto.createCipher('aes256', password)
    var encrypted = cipher.update(text, 'utf8', 'hex')
    encrypted += cipher.final('hex')
    console.log("Encrypted key: "+encrypted)
    return encrypted
}

function decrypt(text, password){
    
    const decipher = crypto.createDecipher('aes256', password)
    var decrypted = decipher.update(text, 'hex', 'utf8')
    decrypted += decipher.final('utf8')
    console.log("Decrypted key: "+decrypted)
    return decrypted
    
}

exports.handler = async (event) => {
    var password = "123456789"
    var authValue = event["headers"]["Authorization"]
    
    if(authValue == "1234567890"){
        const action = event['queryStringParameters']['action']
        var text1 = event['queryStringParameters']['text1']
        var text2 = event['queryStringParameters']['text2']
        var text3 = event['queryStringParameters']['text3']
        console.log(password+text1)
        if(action == 1){
            var text1 = encrypt(text1, password)
            var res2 = encrypt(text2, password)
            var res3 = encrypt(text3, password)
        }
        else{
            var res1 = decrypt(text1, password)
            var res2 = decrypt(text2, password)
            var res3 = decrypt(text3, password)
        }
    }
    else{
        var res = "Authentication failed! Access key missing"
    }

    const response = {
        statusCode: 200,
        body: JSON.stringify({ text1: text1, res2 : res2, res3 : res3 })
    };
    return response;
};
2 Likes

Is there a way to include NPM functions in AWS Lambda, or do you have to do it locally and zupload a .zip ?

i haven’t really this encrypting/decrypting with all of my data fields. You can use API gateway with Bubble’s API Connector or you can build a plugin for it.

Lambda does have a code editor
https://docs.aws.amazon.com/lambda/latest/dg/code-editor.html

or your can use https://www.npmjs.com/package/node-lambda (I haven’t tried using this)

1 Like

Non modules need to be packaged locally and uploaded to lambda

1 Like