Encrypt and Decrypt using Crypto.js (AES)

Gold Contributor
Gold Contributor


I been trying the following when it comes to encrypt and decrypt data in Tealium. I am keen to see/understand how others are doing it. Here are my steps and actions

1. Create a javascript extension and scope it as "Preloader" and move it at the top so it loads correctly. I named it "Crypto Lib".  Copy and paste the whole lib. It should start with the following (Google it and get it from the github. Google Code lib doesn't get updated anymore)

CryptoJS v3.1.2
(c) 2009-2013 by Jeff Mott. All rights reserved.

2. Now the fun part - Let's assume you are collecting email address via UDO dataLayer variable called "dataLayerEmail" and your goal is to encrypt the email and send it to your analytics vendor. So let's create a new Javascript extension called "Email Key" and paste the following code bit (modify as needed). You could combine it with your preloader extension - but I like to be able to update the "Crypto Lib" at will and I wanted the scope of this javascript extenion "Email Key" to my analytics vendor tag only. Also make sure you set the extension condition e.g. Page URL equals "where your dataLayerEmail" variable will get populated or something similar. 

var key = CryptoJS.lib.WordArray.create('super-secret-key');
var iv = CryptoJS.lib.WordArray.create('just-a-key');
var email = b['dataLayerEmail'];
var encrypted = CryptoJS.AES.encrypt(email, key, { iv: iv });
b.customer_email = encrypted.toString();

3. You will also need to create a UDO variable called "customer_email" where the new encrypted data will be and that's the variable you need to map to your analytics vendor tag and follow your regular publish/debug routine.

4. As for decrypt you need to first get the data out of your analytics/marketing vendor provider. Then run decrypt script (see crypto.js help files) and you are good to go.

How do you guys do it? Is there any other AES encryption lib I should be using? Crypto.js works but it's not being updated by the maintainer anymore as far as I understand. 




Encrypt and Decrypt using Crypto.js (AES)

Tealium Employee

Hi @zhaque

In my experience, many customers use the 'crypto' extension, although technically that is one-way cryptographic hashing rather than encryption.  It can hash to MD5, SHA1, SHA256 or SHA512 but obviously that can't (reliably) be un-hashed again, but for an indentification key, for example, it should work. 

I haven't come across anyone using crypto.js for a few years, as you said it isn't actively being developed, so I suspect people may steer clear of it for that reason. 

The structure of your solution seems reasonable though.   I will ask my colleagues if anyone has any more experience of javascript AES encryption libraries, and get them to reply to this if they do. 

Many thanks

Steve Lake

Connecting data systems since the 1980s.

Encrypt and Decrypt using Crypto.js (AES)

Tealium Employee

Hi @zhaque

The issue here is that trying to do AES on the client exposes the secret key in the JavaScript for any reasonably proficient developer (or hacker) to see.

As @steve_lake suggestions, the Crypto extension may be a better choice here.  Although that is also done client-side, the difference is that it is one-way encryption.  Depending on what you are trying to do, the idea might work like this;

You have a set of email addresses that you Hash offline and put in a database server side (both the email address and the hash)

You then hash the datalayer email address client-side and in your server side code, you look up the match for that hash.  That way, the tag never sees the actual email address.

This is how several service providers such as Facebook work - you pass a list of email addresses to them in private, and in public, you only ever pass the hash of the email address to them.

If you wish to use that approach, the choice of hashing algorithm is important - SHA256 is a standard one.  You should also read up about "Salting" for possible extra security.

If, on the other hand, you cannot operate like this, because for example you do not have a master list of email addresses, then you do indeed need two-way encryption.  This cannot be accomplished purely client-side, because the secret key is exposed.  So, you'd either have to arrange for the email address to be present in the datalayer already encrypted, or you'd have to use a server-side service to accept the unencrypted email and return the encrypted value, while keeping the key secret.