Security

Managing Your Encryption Key

Best practices for storing, backing up, and handling your BizForms Storage Mode private key.

Open in app

Your Storage Mode private key is the only way to decrypt your form responses. This page covers how to keep it safe.

What the private key looks like

Your private key is downloaded as a .key file when you enable Storage Mode. It contains a base64-encoded 32-byte key string. Keep this file safe — treat it like a password to your most sensitive data.

Store the contents of the .key file as a secure note in your password manager (1Password, Bitwarden, Dashlane). This gives you:

  • Encrypted storage
  • Access from multiple devices
  • Team sharing capability (if using a team vault)
  • Automatic backup

Encrypted USB drive

For high-security environments, store the key on an encrypted USB drive kept in a physically secure location. Make at least two copies stored in different locations.

Secure cloud storage

Store the key in an encrypted file in cloud storage (Google Drive with 2FA, encrypted Dropbox folder). This is convenient but slightly less secure than a password manager.

Team access

If multiple team members need to decrypt responses, each person who needs access must have a copy of the private key. Share it via your team password manager vault — never via email or chat.

Business plan: Key escrow is on the Business plan roadmap — this will allow an admin to recover a key from a securely stored copy, preventing permanent data loss if the original key is misplaced.

What to do if you lose your key

If you lose your private key, existing encrypted responses cannot be recovered. There is no master key, no backdoor, and no recovery process. This is by design — it means BizForms cannot be compelled to hand over your data.

Your options:

  1. Rotate keys — generate a new key pair for future submissions. Go to Settings → Security → Storage Mode → Rotate keys. Past responses remain encrypted and unreadable.
  2. Delete and restart — if the encrypted responses are no longer needed, delete them from the Responses tab and continue collecting new responses with the new key.

Disabling Storage Mode

To disable Storage Mode for a form (revert to standard, server-readable storage):

  1. First, decrypt and export all existing responses you want to keep
  2. Go to Settings → Security → Storage Mode
  3. Click Disable Storage Mode

Existing encrypted responses are deleted. New responses will be stored unencrypted.

PreviousStorage Mode (E2E Encryption)Next HIPAA Mode

Something unclear? Let us know.