Host a submission form on an untrusted or shared host by using public-key encryption!
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
erinn f3fafacb59 Add 'LICENSE' il y a 6 mois
api Work with new file format + drone il y a 7 mois
qml bugfixes and style il y a 7 mois
.drone.yml remove asset from drone deploy il y a 7 mois
.gitignore Initial Commit il y a 7 mois
LICENSE Add 'LICENSE' il y a 6 mois Update '' il y a 6 mois
go.mod go.mod to build il y a 7 mois
go.sum sigh il y a 7 mois
lockbox.go bugfixes and style il y a 7 mois
lockbox.png README stub il y a 7 mois

Host a submission form on an untrusted or shared host by using public-key encryption! This repository hosts the source code for the Lockbox app, which works together with the Lockbox web app.

Lockbox is a barebones form submission app intended to be easily adaptable for different needs. It works by capturing all submitted form data and encrypting it with a (libsodium) public key before saving it. Saved data can only be read by decrypting it with your unique private key, which can be kept offline and protected however you like.


  • Use the Lockbox app or the cmd/genkeys.php script to generate key.public and key.private files
  • Only people with the key.private file can decrypt submissions -- make a backup copy of it and keep it somewhere safe! If you lose it, you won’t be able to recover any submissions you haven’t decrypted yet.
  • Upload the web app files and your generated key.public file onto a webserver that supports PHP
  • Configure the form by editing php/ and php/
  • Rename admin.php to something unpredictable if you would like to use it


  • Submissions can only be decrypted using the key.private you generated earlier.
  • Download the encrypted submissions.dat file either directly from your server or by using the renamed admin.php script.
  • Use the Lockbox app or cmd/decrypt.php to decrypt submissions. It will output a CSV file that can be opened in any spreadsheet editor (such as Microsoft Excel or LibreOffice Calc).

Making HTML forms

  • We are working on attaching an HTML form generator. For now, you can write HTML by hand or use any form editor you prefer that is capable of outputting HTML.
  • The submission script will capture all form fields submitted to it.
  • Field ordering is not preserved by default. If you would like spreadsheet columns to appear in a certain order, you can give your form fields a number and an underscore, for example 01_name, 02_address, 03_phone etc. The Lockbox app will remove the numeric prefix when creating the spreadsheet.
  • Do not name a form field email as it is used for detecting bots.
  • Submission time, submission number, and submitter IP address are all added automatically.

Threat Model

  • Lockbox’s encryption is intended to protect against attackers that gain read-only access to the webserver where the form is hosted. Attackers that get access to encrypted data cannot decrypt it.
  • Lockbox does not and cannot protect against attackers that can modify the web app. The app can be modified so that submissions received after the compromise are intercepted before they are encrypted. (Submissions received before such a compromise would remain safely encrypted.)