Is it possible/feasible to SHA-256 hash user's email addresses in Marketo?

So the use case is that the unsubscribe page is non-marketo and when a user clicks on the unsubscribe link in the marketo email, the user's email address is passed along the mkto token, and the requirement is to encrypt that email address which will be further processed in the unsubscribe page as per the need (which I'm not fully aware of-meaning I don't know what operations they will have on that encrypted address). We only have the ask to encrypt the email address in that unsubscribe link.

SHA-256-ing an email address in Velocity

Thank you for the reply Sanford, and I apologize for responding so late (was absent from work), but here's the update from the original requester. They want to do something called advanced encryption standard, they want to have a symmetric encryption implemented between Marketo and their system (where their unsub page is). They want to perform encryption at Marketo side and using a shared key they would decrypt the email address. They also mentioned that Hashing will not work as their system needs to know the cleartext email to unsubscribe the user.

Now I'm not completely aware of this technique and I'm not sure if this is possible in Marketo, that to maintain a shared key in Marketo for this symmetric encryption. So I hope that you're aware of this as well and could shed some light on this type of integration in Marketo

Cheers.

Yes, you can use AES from Velocity for reversible encryption (of course that's why I mentioned they probably didn't want SHA-256 because it isn't reversible... I can read into these things from experience!).

However, you should professionally engage a Marketo-fluent Velocity developer from this point. It's too complex and sensitive a project for unsupported code.

Thank you for your reply Sanford, really appreciate your help here. Just one quick question. Is the velocity script that you've written here : SHA-256-ing an email address in Velocity is only for SHA-265 hashing or can we use/modify it for AES encryption?

Thanks

It supports all of the MessageDigest hash algorithms by substituting the corresponding name: MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512.

It doesn't do encryption or decryption. That requires a different set of of classes and functions.

Hi Sanford,

Hope you're doing good.

We could really use your help here. We tried to figure out any encryption methods using velocity but failed to do so or find any relevant use case online. Here we have a little experience in velocity and thus looking for an expert who could at least guide us if not provide the code. Would be a great if you could help us out here.

Thanks

Understand your situation, but I'm not comfortable providing what amounts to security consulting on a public forum. Once you're talking about AES (and especially b/c you're acting on behalf of a 3rd-party) that code should be developed in private. (Yes, security through obscurity is a fallacy, and someday the code should be safe to open-source, but for now this isn't the place to discuss.)

Just sharing... I've done a similar project in the past where instead each user in the external app had a unique ID, which was created upon registration and sent to Marketo via API. Marketo emails would append the unique id to the unsubscribe link (a non-marketo page) and allowed the user to edit their email preferences. An API call would send their updated preferences back to Marketo.

So they understand that SHA-256 is not reversible?  They already have a database with all the email address and their precomputed hashes? Or are they going to hash every email address in their db on-the-fly while searching (terrible idea)?

Please check this with them because I don't want to send you down a road that will end up being unusable.