0

I am building an app that collects non-personal information about customers when they text my service through Twilio. Unfortunately, the only good way I see to keep track of people is to use their phone number as an id. My plan to maintain privacy/security is to encrypt the phone numbers.

I plan to store customer phone numbers in an Amazon S3 instance that has been compromised before: all the more reason to keep them encrypted.

In fact, I would like to NEVER allow myself to decrypt them again. I am using node in this case to do the work. All that I need is that the hash property (encrypting the same phone number gives the same output) is preserved.

What is the best way to encrypt, without giving myself the option to decrypt?

Seth
  • 411
  • 2
  • 5
  • 13
  • 1
    I would use a Hash not encryption. See here: http://stackoverflow.com/questions/5878682/ac-js-hash-string – akaphenom Jul 15 '16 at 00:00
  • MD5 perhaps could be a possible solution – Ed Heal Jul 15 '16 at 00:00
  • 1
    Deal with phone numbers the same way you would password. – eandersson Jul 15 '16 at 00:01
  • @EdHeal MD5 is rarely a good solution, these days SHA-256 is a best practice. – zaph Jul 15 '16 at 06:39
  • It is a little easier than passwords, users do not choose bad phone numbers like "password" so common password lists do not help and they are unique. But in general handling them like passwords is a good choice. – zaph Jul 15 '16 at 06:42

1 Answers1

1

You wouldn't encrypt it, you'd hash it. Look into something like SHA-256.

It's recommended you add a salt. This is a random value appended to prevent brute forcing.

Thomas
  • 1,401
  • 8
  • 12
  • Note that the salt needs to be stored along with the hash value, usually by prepending it to the hash. – zaph Jul 15 '16 at 06:38