This procedure is quite technical and is intended for users who are comfortable with advanced technical instructions and requires strict attention to detail. 

Encrypted forms work by encrypting the data on the phone the moment it is saved. Data sent to KoBoToolbox is encrypted and completely inaccessible to anyone not possessing the private key. In this case, KoBoToolbox serves simply as a storage locker for your encrypted files - a place to upload and then download for later for local decryption (using ODK Briefcase). Since the form submissions are encrypted, it means, however, anything that requires access to the data like the map view or data export won't work within KoBoToolbox. The extra level of security makes using KoBoToolbox in a way to collect sensitive data while meeting certain data protection protocols possible.

How it Works

KoBoCollect supports the ability to encrypt the content of a form the moment it is marked as completed and ready for submission on the phone. To take advantage of this requires the use of a public encryption key which you include in the XLSForm and a private key (which you never share) that is used by ODK Briefcase to decrypt the data locally after you've downloaded it from KoBoToolbox. The public key is used to encrypt data while the private key decrypts it. Only a person who has the private key, can decrypt the data encrypted with the public key. To understand more about public and private key infrastructure see

How to encrypt XLS forms

  1. Create your form in KoBoToolbox as always. Download the form from the drafts list as an XLS file.
  2. In the downloaded file go to the 'settings' sheet.
  3. In this worksheet add an additional column 'public_key' (is the base64RsaPublicKey).
  4. public_key: In this column, you must paste your compatible public key. See below for more information on generating the required public key. 

4. Upload the XLS file back to KoBoToolbox. You can either import it back to the Form Drafts list and then deploy it as a new survey project, or import it directly to your deployed Projects list. Once deployed you should see a label with the text "encrypted" next to your form name.

How to decrypt forms

ODK Briefcase is used to download the encrypted files from KoBoToolbox and decrypt them locally on your computer using a private key ensuring single access to the data. For decryption to be successful with ODK Briefcase make sure you download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 from the Java download site. This is required for decryption to be successful.

To install the JCE:

  1. Unzip the downloaded zip archive
  2. Navigate into the extracted directory tree and copy the local_policy.jar and US_export_policy.jarfiles to the lib\security directory
  3. Paste these files inside the installation directory of the Java Runtime Enviornment (JRE) of your computer, replacing earlier versions of these files.
  • On Windows, the JRE is usually installed here: C:\Program Files\Java\jre7\lib\securityOn OSX the location is /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security
  • On OSX the location is /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security

To decrypt your forms:

  1. Download and open ODK Briefcase.
  2. Open the Pull tab and click Connect..., then enter the following: 

3. PULL the encrypted form to your computer.
4. The encrypted form is decrypted only during export. Go to the 'Export Tab' and specify the PEM private key to decrypt the form.

5. Click 'Export'
6. Data is exported as a CSV file, you can now view the unencrypted data.

Generating RSA Encryption Keys

To generate the RSA public-private key pairs you can use the OpenSSL software package, which is pre-installed on OSX and Linux. On Windows you have to download and install the OpenSSL software package from this site. (Note: install the Win64 OpenSSL v1.1.1c in C: rather than the default location C:\Program Files)

How to generate RSA key for use with encrypted forms on KoBoToolbox

Note: We strongly recommend using OpenSSL as documented below for creating your public/private key pair as other methods may not be supported by the software. 

  1. Open a Windows 'cmd' window.
  2. Type the following command: cd C:\OpenSSL-Win32\bin to change to the /bin directory in the OpenSSL directory. 

3. Create a 2048-bit private key and write it to the MyPrivateKey.pem file by typing the following command, then press Enter: openssl genpkey -out MyPrivateKey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048

4. Then, extract the public key for the above private key. Type the following command then press Enter: openssl rsa -in MyPrivateKey.pem -inform PEM -out MyPublicKey.pem -outform PEM -pubout 

5. You have now generated two files that is:

  • MyPrivateKey.pem - your private key that you need to move to a secure location.
  • MyPublicKey.pem - your public key, that you can share with anyone you want to share information securely

6. Open the MyPublicKey.pem with Notepad or another text edit, your public key is the uninterrupted very long string of characters, 


This string is what you will need to paste under the public_key field in your settings sheet on your XLS file. 

IMPORTANT: make sure that you paste only the public key string and no blank spaces or line breaks!

MyPrivateKey.pem is the file you will use when exporting the submissions using ODK Briefcase.

Did this answer your question?