Introducing anon.li Form
End-to-end encrypted intake forms. Build a form, publish the link, and read answers only you can decrypt — even we can't.
Forms are how the internet asks you for things — for tips, applications, signatures, complaints, contact details. The default tools (Google Forms, Typeform, the rest) all share the same posture toward your data: the server reads every response in plaintext, stores it indefinitely, and sells you analytics on top of it. That is fine for booking a haircut. It is not fine for whistleblowing, legal intake, HR cases, security disclosures, or anything you'd rather your form provider never saw.
Today we're launching anon.li Form — the third pillar alongside Alias and Drop. Build a form, share the link, and read submissions that only you can decrypt. Our server stores ciphertext and nothing else.
How it works
When you create a form, your browser generates a fresh X25519 keypair. The public key ships with the form so any visitor can encrypt to it. The private key is wrapped under your account vault key — the same vault that protects your Drop owner keys — and stored server-side in that wrapped form. We never see it in the clear.
When someone submits, their browser:
- Generates an ephemeral X25519 keypair for that submission.
- Performs ECDH against your form's public key to derive a shared secret.
- Encrypts the answers with AES-256-GCM and a fresh 12-byte IV.
- Sends us the ciphertext, the ephemeral public key, and the IV. Nothing else.
When you open a submission in your dashboard, your browser unwraps your form's private key with your vault, repeats the ECDH against the submitter's ephemeral public key, derives the same shared secret, and decrypts. The server's role in all of this is to store opaque blobs and route them to you. That's it.
A consequence worth being explicit about: if you lose your vault, you lose your submissions. There is no support button we can press. That is the cost of the property we're offering, and it is the property we're offering.
What you can build
The visual builder gives you the field types you'd expect — short text, paragraphs, single-choice, multi-choice, ratings, file uploads — and lets you reorder, label, and require them. Forms can be classic top-to-bottom or one-question-at-a-time, whichever fits the flow.
A few things we cared about getting right: