I started updating my application to be compliant with GDPR. This application is using latest version of Codeigniter (I updated now as well). I’m trying to encrypt user’s email address using ‘Encryption’ library. I set my encryption key and I used $this->encryption->encrypt()
to encrypt my email address. Everything is fine until here, but how am I supposed to check if this email address is unique in my database anymore?
EDIT: I didn’t change any default settings of Encryption library.
Thank you!
Advertisement
Answer
Even though I agree with Alex’s comment above that encrypting emails is just overkill and provides very little benefit, and, in fact, is NOT required by the GDPR as you seem to imply it is, one way you could encrypt your users’ emails (if you really wanted to) and ensure they are unique is to move your UNIQUE
index to a sha256 hash of the email instead of on the encrypted email column. Since the same email address encrypted using a different initialization vector will produce a different output, you cannot put your UNIQUE
index directly on that column, however sha256 will always produce exactly the same result. The chances of collisions with sha256 hashes is essentially zero, and in the extremely unlikely event that there is a collision, the user just gets a notice that there is already an account registered with their email. Not really a big deal.