My problem involves a couple modules: Ubercart, Encrypt, Key and Lockr. I'm not sure if it belongs in this project's issue queue, but I figured I'd start here. Hoping other ubercart users (especially those using it on Pantheon-hosted site) may have dealt with this and be able to advise me.

We migrated a client to Pantheon hosting a couple months ago. The site’s ubercart payments worked consistently on the old hosting platform, but have only worked sporadically on Pantheon and I’m trying to resolve the issue. It seems that the only payments that go through are ones made immediately after Drupal’s caches have been flushed.

I believe the problem is due to the credit card encryption: while I can set a directory in ubercart’s “Encryption key directory” field and I can see that the key does get generated, most payment transactions fail.

Ubercart wants you to store this key outside your doc root or in sites/default/files/private. I think this probably works perfectly on a normal hosting platform, but on Pantheon, the structure is different with sites/default/files/private not within the site's doc root.

I have read both of these pantheon guides: and Based on this info, I have installed the Drupal Key, Encrypt and Lockr modules and have enabled them.

In the Key module admin UI, I was able to signup for a Lockr account and add an encryption key of type Lockr encryption.

But now I don’t know how to make ubercart use this Lockr key. In Ubercart’s payment settings, under “Encryption key directory” it expects/requires a path to the key: what would this be for a Lockr key?

In the README for the Key module under the section "Using Keys" it seems to indicate I will have to write a custom module to make the Lockr key appear as a selectable option in the ubercart key directory settings. But I worry this may be beyond my abilities or consume vast amounts of time to figure out.

Is there an easy way to make ubercart use a Lockr key? Or has anyone written a custom module for this they'd be willing to share?

I have also posted this question to Pantheon support, the Lockr support slack channel and Drupal Answers. If I get helpful info from any of them, I'll post here.

Members fund testing for the Drupal project. Drupal Association Learn more


banoodle created an issue. See original summary.

erok415’s picture


TR’s picture

Status: Active » Fixed

You should upgrade to the latest version of Ubercart, 7.x-3.9 is more than a year old.

Ubercart doesn't care what directory you store your encryption key in, but it would be foolish to store it in a directory that is accessible from the web. On Pantheon, /sites/default/files/private (or a subdirectory of this) is a reasonable place to put your encryption key. You don't say why this is a problem for you - it should work just fine.

The functionality of the Key module is already built into Ubercart core (Ubercart coded this functionality long before Key existed), and in order to replace Ubercart's key management with the Key module you would have to modify Ubercart. Likewise, Lockr needs you to modify the code of any module that wants to use Lockr - the Drupal Lockr module comes with pre-built patches for some modules, but you would have to write a patch for Ubercart if you wanted to use Lockr in Ubercart. In general I'm not a fan of this sort of "installation" procedure, where you have to hack other modules and maintain those hacked versions.

In the Drupal 8 version of Ubercart we have abstracted the encryption so that it may be easily replaced by third-party plugins, but that would still require you to write a Lockr plugin.

Cellar Door’s picture

Title: How to integrate Lockr encryption key with Ubercart credit card payments » Integrate Key module for encryption key storage
Status: Fixed » Needs review
2.82 KB

Hey TR -

Saw this post and wanted to submit the patch that we worked on with Banoodle to allow for Key ( integration. Also wanted to clear up a few misconceptions around Lockr and how it works.

The patch is rather simple in nature. If the site has the Key module enabled it replaces the form element on the administration form with one that allows the user to select which key they want to use. Then on key retrieval it just does a quick look to see if Key is enabled and if they key_get_value() returns a value and if so returns it, otherwise it lets the module function as needed.

While I agree that some of the function of key management is already in Ubercart, I would argue having a centralized key management is beneficial for not only Ubercart but for a wide variety of modules outside of just Encrypt (which is where we based the initial revisions off of). This is why we created Key and why it's becoming the standard for D8 key management along with the Encrypt module. I think you'll agree by looking at the attached patch that it's a rather harmless patch to begin allowing users to centralize their keys. Relying on the file system and on the local sites/default/files/private is far from ideal.

As for Lockr, it's just a service provider to Key but isn't required for key to function. There are a number of options available at Key and it's pluggable to allow for any method of storage the site may need. Because of this, Lockr doesn't require any modifications to modules to operate, it's the Key module that requires the integration. The "installation" method you mention is our way of speeding up the patching process for folks while the patches (such as this one) work their way through the issue queue. This isn't abnormal to provide patches in this manner and really the goal is to make it so patches aren't necessary at all. We accomplished this in D8 with the overrides sub-module #2771013: Add Ability to Override Configuration With Keys which leverages config entities to allow for patchless overrides.

Take a look over the patch and see what you think. It's simple and gives users the freedom to choose how best they want to manage their site security around keys/encryption. We're also looking into creating a separate patch (I'll have a different issue created to track it) that will allow for use of the encrypt module as well as Key. It's a bit more involved but wanted to get this over in the meantime.

banoodle’s picture

Thanks for the patch. It worked great!

TR: we were storing the key in /sites/default/files/private and it would work for a while, but periodically and without warning transactions would stop working. I suspect it has to do with the key's path being saved as an absolute path on Pantheon that includes that long binding number. Is it possible when Pantheon changes containers/bindings (as I imagine they must do from time to time to retool hardware, etc.) Ubercart gets confused about the path?

It was this hunch plus the fact that Pantheon recommends using Lockr in their documentation on keys that made me want to use Lockr. If my theory about the Pantheon container bindings is right, Lockr should prevent this issue from recurring. If I'm wrong, well at least I'm storing my encrypted key off-site which is a good practice.

The site with this issue started out on another hosting platform where it apparently never had payment transaction problems and we haven't modified much on the site since moving it to Pantheon (client has a small budget so to your point: we are admittedly a bit behind on bug-fix upgrades and I'll try to upgrade ubercart as soon as possible).

The Drupal 8 improvements sound awesome! Thanks for all your hard work on that!


nicksanta’s picture

Issue tags: +key-integration

Added key-integration tag to track integration efforts across contrib.