Encrypt User name and user Login and User Email address
Hi,
Due to a strict demand in regards of the new GDPR guidelines our clients ALL need their email addresses Encrypted.
I know the GDPR guidelines say they dont have to be encrypted but our Clients ALL need this encrypted - and if we can't encrypt these fields then they will move CMS platform to Drupal.
Has anyone encrypted these fields before and if so how is this possible?
This sounds like it might appeal to a broader audience. You could bring it up here as feedback...
Issues/Feedback
... and see what the community response is.
Otherwise you can always roll your own controllers with encryption when and where you want it:
MSDN Cryptography Class
Regarding not being able to login to the "report issues site" -- YES this is confusing. I forget how I was able to register but the links to login were not working for me either.
It would be nice if someone @ Umbraco would look into that.
Thank you!!! Sorry this is in a sub-sub-thread. Is there a link available from issues.umbraco.org to direct users there? Apparently I wasn't the only one who had to dig to figure out how to register.
Continuing this sub-sub-thread... no, I cannot login or register through the top-right login button. Using Google Chrome Version 64.0.3282.186. When I click on Log In there is an error thrown in the browser console:
Uncaught TypeError: Cannot read property 'logout' of null
at Object.handler (69cf1cc0.app.js:15)
at Object.i.trigger (69cf1cc0.app.js:6)
at g (69cf1cc0.app.js:6)
at HTMLSpanElement.k (69cf1cc0.app.js:6)
at HTMLDocument.dispatch (a9cb2043.lib.js:2)
at HTMLDocument.q.handle (a9cb2043.lib.js:2)
(anonymous) @ 69cf1cc0.app.js:15
i.trigger @ 69cf1cc0.app.js:6
g @ 69cf1cc0.app.js:6
k @ 69cf1cc0.app.js:6
dispatch @ a9cb2043.lib.js:2
q.handle @ a9cb2043.lib.js:2
that sounds like an interesting case. I think it could be done, but you'll probably run into some problems due to email verification for example of the username for example. It could be fixed probably, but you'll need a custom build of the Umbraco source I guess.
To look at the problem, I had some questions popping up:
Are we talking about Umbraco Users or Umbraco Members, or both?
Do they need to be encrypted at the database level?
Is it okay that people who have access to the User / Member-section will see the emailaddress and username in plaintext?
Could you explain why Drupal CMS would be a better choice? Are there any security related issues they handle better than Umbraco?
As Jonathan said earlier, as part of the move to GDPR the UK Gov is taking this one step further and insisting any personally identifiable information contained in the Member AND Users section be encrypted. Unfortunately this also includes your email address as the domain can confirm where you may work.
Database level encryption would be needed, the running concern is that SQL injection attack may expose your details - or if someone managed to steal a back up etc.
Drupal is the alternative because this can be done at a database level via MariaDB much like the Always Encrypted option in MS SQL. (Not because it's a better CMS :-)
Also to clarify this is not mandatory for all sites in the UK just UK gov issued ones.
as stated in my recent blog post (http://skrift.io/articles/archive/i-have-a-nightmare-dream-about-umbraco-and-gdpr/). 'Always encrypted' is an option, and that should work out of the box with Umbraco, but still you are vulnerable to SQL Injection.
So if 'Always encrypted' is good enough for you, this will work in Umbraco.
I've tried 'Always Encrypted' and it doesn't work with Umbraco. The CMS throws all sorts of errors. I've even enlisted the help of Microsoft and the Azure team.
I know what you're saying about SQL Injection - this can be fixed, I'm talking about damage limitation here if someone managed to retrieve information from your database.
If you've managed to get Always Encrypted to work in Umbraco I'd love to know how you did this.
We've got TDE enabled too, which covers us for Encryption at Rest. We just need to cover ourselves for encryption in motion.
I tried changing a single column in the user table to use Always Encrypted, which results in the following error when you attempt to save/update the user:-
System.Data.SqlClient.SqlException: Operand type clash: nvarchar(255) encrypted with (encryption_type = 'RANDOMIZED', encryption_algorithm_name = 'AEAD_AES_256_CBC_HMAC_SHA_256', column_encryption_key_name = 'GDPRKey', column_encryption_key_database_name = 'security-test') is incompatible with varchar
I have not tried "Always Encrypted" myself but @Jeffrey did mention in his Skrift article issues with certain fields types although I don't think nvarchar was one of them....
Encrypt User name and user Login and User Email address
Hi,
Due to a strict demand in regards of the new GDPR guidelines our clients ALL need their email addresses Encrypted.
I know the GDPR guidelines say they dont have to be encrypted but our Clients ALL need this encrypted - and if we can't encrypt these fields then they will move CMS platform to Drupal.
Has anyone encrypted these fields before and if so how is this possible?
Thanks
Jon
This sounds like it might appeal to a broader audience. You could bring it up here as feedback... Issues/Feedback ... and see what the community response is.
Otherwise you can always roll your own controllers with encryption when and where you want it: MSDN Cryptography Class
I would - but you cant login
Regarding not being able to login to the "report issues site" -- YES this is confusing. I forget how I was able to register but the links to login were not working for me either.
It would be nice if someone @ Umbraco would look into that.
You can sign up for the issue tracker at http://issues.umbraco.org/registerUserForm
@Jeavon Leopold
Thank you!!! Sorry this is in a sub-sub-thread. Is there a link available from issues.umbraco.org to direct users there? Apparently I wasn't the only one who had to dig to figure out how to register.
If you are not logged in and you click "Login" there is then a link to "Register new account"?
@Jeavon Leopold
Continuing this sub-sub-thread... no, I cannot login or register through the top-right login button. Using Google Chrome Version 64.0.3282.186. When I click on
Log Inthere is an error thrown in the browser console:I can keep clicking and it just stays as such:
Hi Jonathan,
that sounds like an interesting case. I think it could be done, but you'll probably run into some problems due to email verification for example of the username for example. It could be fixed probably, but you'll need a custom build of the Umbraco source I guess.
To look at the problem, I had some questions popping up:
Thanks,
Jeffrey
Hi Jeffrey,
As Jonathan said earlier, as part of the move to GDPR the UK Gov is taking this one step further and insisting any personally identifiable information contained in the Member AND Users section be encrypted. Unfortunately this also includes your email address as the domain can confirm where you may work.
Database level encryption would be needed, the running concern is that SQL injection attack may expose your details - or if someone managed to steal a back up etc.
Drupal is the alternative because this can be done at a database level via MariaDB much like the Always Encrypted option in MS SQL. (Not because it's a better CMS :-)
Hi Paul,
as stated in my recent blog post (http://skrift.io/articles/archive/i-have-a-nightmare-dream-about-umbraco-and-gdpr/). 'Always encrypted' is an option, and that should work out of the box with Umbraco, but still you are vulnerable to SQL Injection.
So if 'Always encrypted' is good enough for you, this will work in Umbraco.
Hi Jeffrey,
I've tried 'Always Encrypted' and it doesn't work with Umbraco. The CMS throws all sorts of errors. I've even enlisted the help of Microsoft and the Azure team.
I know what you're saying about SQL Injection - this can be fixed, I'm talking about damage limitation here if someone managed to retrieve information from your database.
If you've managed to get Always Encrypted to work in Umbraco I'd love to know how you did this.
Thanks
Paul
SQL Azure Transparent data encryption works with Umbraco without you having to change anything, we have many many projects running with it.
p.s. I know TDE isn't the same as "Always Encrypted"
Hi Jeavon,
We've got TDE enabled too, which covers us for Encryption at Rest. We just need to cover ourselves for encryption in motion.
I tried changing a single column in the user table to use Always Encrypted, which results in the following error when you attempt to save/update the user:-
I have not tried "Always Encrypted" myself but @Jeffrey did mention in his Skrift article issues with certain fields types although I don't think nvarchar was one of them....
Hi, No this doesnt work. We get the following error:
is working on a reply...