don't unserialize because we can't trust user input, force `encrypt…

don't unserialize because we can't trust user input, force `encrypt… #147