Skip to content
Start building
Back

createStringAttribute encrypted still shows plaintext

  • 0
  • Self Hosted
  • Databases
View on Discord
ZachHandley
15 Dec, 2023, 19:19

as the title specifies, I am trying to create an SSN attribute and a federalTaxId and after using the createStringAttribute with encrypted true it still shows as plain text in the console, is that on purpose or?

TL;DR
The user is asking why the encrypted string attribute still shows as plaintext in the console of Appwrite. The response explains that the encryption in Appwrite ensures data is encrypted in the database, but it is decrypted when fetched from the database and returned from the API. If this does not work for the user, they need to find an alternative solution. The console should not be visible to anyone but the user. The user suggests that it should be encrypted in the console. The solution is not provided in the thread.
ZachHandley
15 Dec, 2023, 19:30

@Drake is this supposed to work like this?

ZachHandley
15 Dec, 2023, 19:31

@D5

D5
15 Dec, 2023, 19:32

I think in console yes

Drake
15 Dec, 2023, 19:32

Yes, the data is encrypted in the database

D5
15 Dec, 2023, 19:32

Console decrypts it

ZachHandley
15 Dec, 2023, 19:32

but it should 1000% be encrypted in the console still IMO

Drake
15 Dec, 2023, 19:33

how would you decrypt it?

ZachHandley
15 Dec, 2023, 19:33

Only on usage

Drake
15 Dec, 2023, 19:33

The console is...using..it

ZachHandley
15 Dec, 2023, 19:33

I get what you're saying

ZachHandley
15 Dec, 2023, 19:33

But it's not secure to have SSN's in plain text anywhere

ZachHandley
15 Dec, 2023, 19:34

they should, in theory, be always encrypted and never visible unless it's specifically needed for something and even then usually the last 4, it's just used in this case to verify their application and they are who they say they are, credit check, that good stuff

ZachHandley
15 Dec, 2023, 19:36

I guess technically the console should never be visible to anyone but me but

Drake
15 Dec, 2023, 19:36

so when you're dealing with encryption, the big things to always ask are when does it need to be encrypted/decrypted.

The encryption that Appwrite provides for string attributes ensures the data is encrypted in the database so that someone looking at the database can't see the value. When the data is fetched from the database, it's decrypted and when it's returned from the API, it's plaintext

If this doesn't work for you, you'll have to look into an alternative

ZachHandley
15 Dec, 2023, 19:37

fair enough

Drake
15 Dec, 2023, 19:38

that said, it could be a good feature request to hide encrypted strings like how we hide API keys, function variables, etc. Honestly, the console hasn't been updated for encrypted string attributes at all 😅

ZachHandley
15 Dec, 2023, 19:38

it's totally understandable, I mean even thinking it through logically like

ZachHandley
15 Dec, 2023, 19:38

it's just me that can see it but

ZachHandley
15 Dec, 2023, 19:38

part of PCI compliance is just that it's not a string and visible in any context unless it's being used

ZachHandley
15 Dec, 2023, 19:38

for it's purpose

ZachHandley
15 Dec, 2023, 19:39

and it might even be fine how it is, tbh I don't know, cause it's just me, but anyways yeah I figure it could be neat

Drake
15 Dec, 2023, 19:43

depending on your usecase, you could maybe store last 4 as an encrypted string. Or you could store a hash

ZachHandley
15 Dec, 2023, 20:30

true

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more