Problem/Motivation

Right now, Key doesn't natively integrate with Encrypt. If you have an encryption key already set up (see #3561668: Add the ability for the Encryption key type to automatically generate the encryption key in a file for where we're trying to make that happen in Key), there is no way to store a key encrypted automatically, with automatic decryption. You pretty much have to write your own key provider, as far as I'm aware.

Proposed resolution

Introduce a new key provider plugin, called encrypted or something similar. The new provider would take two configuration options:

encryption_profile: ID_OF_ENCRYPTION_PROFILE
value: ENCRYPTED_VALUE

If the configured encryption profile doesn't exist, the provider will throw an exception. This makes sense -- it cannot possibly access encrypted credentials with an encryption profile.

An alternate approach would be to introduce a trait for this behavior and override some of Key's built-in providers so that they use the trait. To me that would be a more complex and messier implementation.

User interface changes

No changes, but a new key provider would be introduced with its own configuration form.

API changes

None.

Data model changes

None.

Issue fork encrypt-3561674

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Issue fork key-3561674

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

phenaproxima created an issue. See original summary.

phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
commented
Issue summary: View changes
phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
commented
Issue summary: View changes

phenaproxima opened merge request !18

phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
commented
Status: Active » Needs review
Issue tags: +Needs tests

Needs tests, but I have an initial implementation. To keep things simple, I changed it to be a hard-coded decorator of the config key provider, which is the simplest and needs no additional configuration.

phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
commented
Title: Add a key provider that can transparently encrypt and decrypt the key stored by another provider » Add a key provider that can transparently encrypt and decrypt the key value
Issue summary: View changes
phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
commented
Title: Add a key provider that can transparently encrypt and decrypt the key value » Add transparent encryption and decryption support to the `config` key provider
Project: Encrypt » Key
Version: 8.x-3.x-dev » 8.x-1.x-dev
Assigned: Unassigned » phenaproxima
Status: Needs review » Needs work
Issue tags: +Needs issue summary update

After more thought and experimentation, I think the best way to have this work is actually to have the Key module support Encrypt natively, but optionally, and with only one key provider: config. If the data is encrypted, then it doesn't matter if it's stored in the entity -- it's encrypted.

Assigning to myself to update the MR and issue summary.

phenaproxima closed merge request !18

phenaproxima changed the visibility of the branch 3561674-support-encryption to hidden.

phenaproxima opened merge request !64

phenaproxima reopened merge request !18

mxr576’s picture

mxr576
Primary language Hungarian
Location Hungary
commented
Related issues: +#3559052: [META] Improve security of AI and VDB provider credential storage
mxr576’s picture

mxr576
Primary language Hungarian
Location Hungary
commented
Issue summary: View changes
Issue tags: -Drupal CMS release target

Removed the outdated part from the IS, Drupal CMS is going to rely on a different solution provided by Easy Encryption module.