Hello,
I also made a thread about this in the german subforum, but since we are running out of time I hope, that someone here might be able to help

• LimeSurvey Version + Build: when the problems showed Version 4.3.3 by now updated to 4.4.11+210301
• PHP Version: Ursprünglich 7.2.24-0ubuntu0.18.04.7 by now updated to 8.0
• MySQL Version: 5.7.33-0ubuntu0.18.04.1 - (Ubuntu)
• Betriebssystem; Server Ubuntu, Clients diverse Linux Distros + Windows
• Browser, etc.: Edge, Firefox, Brave, Chrome

We used LimeSurvey to organise an online tournament. SInce there are personal data involved, we had to encrypt those. But now all these fields are unreadable inside of the data base AND in LimeSurvey (Participant who looks at his data, PDF, Superuser + all Admins). All the exports are also encrypted. We already tried to decrypt the data with Sodium and PHP together with the public and secret keys (seurity.php). But we are inexperienced with this and didn't succeed. The Survey was created on the same server and the security.php-file wasn't altered.

We also made further test-surveys with only one encrypted field (text and multiple choice) and in each case the data wasn't readable to the participant nor to the Admin after it was sent to the server. If the field wasn't encrypted we had no issues. As a last resolve we also updated LimeSurvey to the newest version, since this seemed to has resolved the issue for some (with the help of ComfortUpdate) and did the same with PHP (8.0) too. Everythint to no avail and by now we are running out of options and our tournament is fast aproaching, which is, why we have to contact our participants.

What could be the issue at hand and most important: How can we decrypt our data now? We have exported the LSS, LSA and CSV-Files and of course have acces to the database ad the system itself.

Make a backup of security.php first.
Stay on PHP 7.3 or PHP 7.4.
LS4 is buggy and not ready for productive usage.

As a Comfort Update customer I recommend to open a support ticket with LimeSurvey GmbH now.

Do you know, when you activate the encryption? And what LS 4 version you had then?
It might be a bug introduce in newer versions.

Let's see if we can raise awareness to your issue.

Thank you for the recommendation

Before that we used 4.3.3.

is there anybody who could help us in the short term with decrypting the data?

is there anybody who could help us in the short term with decrypting the data?

It this was possible, then the encryption wouldn't be very good, would it?

I guess, but as I understand it should be possible with PHP and the keys. These should be the instruments, that LimeSurvey itself uses in order to do it.

Update: I also wrote a ticket to the LimeSurvey Support and they referred me back to this forum and to the bug tracker.

Unfortunately I can't post anything there, because it's telling me that my account is either blocked or my password wrong.

holch wrote: It this was possible, then the encryption wouldn't be very good, would it?

LimeSurvey should decrypt it without intervention of the user. Since the key (security.php) is there, the symmetric encryption/decryption should be working. I don't see a quick fix without developer input. My guess would be a change in the decryption/encryption routines or the keyfile changed.

LimeSurvey should decrypt it without intervention of the user.

Exactly. So I don't see a chance that someone else here might be able to help to decrypt.

We didn't access the keyfile until we witnessed problems and it hasn't changed since then. The only "strange" thing that I remember that we did was, that we activated the survey a few times (first without encryption) and then deactivated it in order to activate the encryption.

But as I wrote above, we can reproduce the problem with new surveys with encrypted fields. Since the fields are indeed getting encrypted, I suspect, that the module seems to work somehow, but it doesn't decrypt them.

Update: I also wrote a ticket to the LimeSurvey Support and they referred me back to this forum and to the bug tracker.

I am not suprised that they will not give you customer support, as you are running the community edition (and the unstable version on top of that).

But if you can't access the bug tracker, then you can respond to your support ticket and ask them to fix that, so that you can report this problem. Otherwise I don't see much that can be done.

Qhorinhalbhand wrote: Update: I also wrote a ticket to the LimeSurvey Support and they referred me back to this forum and to the bug tracker.

 

Interesting, they referred you back to the forum and the bugtracker? Ok, then open a bugticket with your description here and the versions. This ticket can become private, but you shouldn' add real data now.

I recommend to copy the survey in your system, and reduce the survey to just two questions which are set to encryption.
When you run this reduced survey, make two entries and see if the encryption / decryption works there.
If the same issues occurs there, you can think about sending the demodata and the security key. Still a risk exposing the security key, but without the real datafile  no real exposing.
 

holch wrote: I am not suprised that they will not give you customer support, as you are running the community edition (and the unstable version on top of that).

 

LS4 was not always labeled unstable and ComfortUpdate customers are valid for support tickets.  LimeSurvey GmbH might changed there support concept.

 

LS4 was not always labeled unstable and ComfortUpdate customers are valid for support tickets. LimeSurvey GmbH might changed there support concept.

Yes, but I assume that these support tickets only cover ComfortUpdate, but not anything else.