ddspringle
commented
5 years ago The use case for 'repeatable' encryption is username, typically. When searching for the user to log them in your are guaranteed to find the record since the standard 'db' encryption will produce a different result on each pass (if not using custom initialization vectors, anyway)
The use case for 'rform' encryption is typically guid values that must be accessed by javascript, for the same reason (predictable, repeatable, yet still secure , values)
For examples of usage your best bet is to check out the guides I wrote on obfuscation, encryption, authentication and session management on cfdocs - If you start here: https://cfdocs.org/security and scroll down to the bottom of that page it will link you to those additional topics, or you can click 'guides' up top and look for those topics.
Those are a little bit dated, but should give you solid examples of where and when to use encryption techniques... and then you can see how those are implemented in this framework one example here for better context.
I also presented on this topic a few times at conferences in the past that are recorded. The most recent one, I believe, is available here: https://www.youtube.com/watch?list=PLz6r7YssJoKRKB50ZSGTo_oX7ojYcF9TS&v=bxBywc39P1A
HTH
In your security service cfc you use repeatable and db repeatable encryption. What are the differences/use cases for those?
And do you have examples for how you're using the form/url encryption methods? I would like to encrypt/hash form/url field names too and I'm looking for best practices.