Vignette encryption

[florianm]

Feature

A new vignette demonstrating workflows around encrypted forms would add context and value for ruODK users. @Thaliehln is preparing a draft, the following are some ideas extracted from #110

Generic workflow

The updated ruODK::submission_export should now export data from both encrypted projects and non-encrypted projects. HTTP method is changed from GET to POST and encryption key ID / passphrase are provided via POST body using a JSON format. You can unzip and inspect encrypted forms using the same routine as for non-encrypted forms:

se <- submission_export()
t <- tempdir()
f <- unzip(se, exdir = t)
fs::dir_ls(t)
fid <- get_test_fid()
sub <- fs::path(t, glue::glue("Locations.csv")) %>% readr::read_csv()
sub %>% knitr::kable(.)

Handling multiple encrypted forms with different passphrases

About multiple passphrases, I need to better understand in which scenarios we may have more than one encryption key. In the current version of the code, the selection of the first encryption key ID is hard-coded, but this is not very robust and I am wondering if using a dictionary would not be a more elegant / generic way of managing multiple passphrases.

As an option, but not a prescription, environment variables are generally a good place for sensitive information. Short of using dedicated secret managers, I'd demonstrate a mockup (doesn't have to send real requests) using several passphrases from several env vars via pp = Sys.getenv("..."), and refer to https://cran.r-project.org/web/packages/httr/vignettes/secrets.html for more advanced options of managing secrets.

submission_get example

ruODK::submission_get does not allow accessing the submission details, but retrieves encryption metadata

odata_submission_get example

ruODK::odata_submission_get does not return any error, but indeed only metadata are returned.