Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Hi zzolo! Great to see this module.
I suggest, however, slowing down a little bit with the rc releases until we can discuss a bit.
My major question: it seems that the data is stored in the database and the keys are stored in the database and the hashing method is well known (it's this module) and could probably be determined by looking at the database tables (system). So, if someone gets your database they will be able to unencrypt everything, right?
I think the keys must be stored separately from the database in text files on the server and there should be good documentation in the README.txt about best practices for protecting those keys.
Comments
Comment #1
zzolo CreditAttribution: zzolo commented@greggles,
Thanks for looking this over.
As I was going to sleep last night, after my drunken coding, I realized this flaw as well. I think writing to a file is the best bet and trying to ensure that the file is safe. Maybe even supporting putting the key in settings.php manually, since this is a good safe place to put it.
I think there may be even more secure ways, but the goal of this module is to be an easy dependency for other modules, so a tough installation process would kind of defeat the purpose.
--
Alan
Comment #2
mikeytown2 CreditAttribution: mikeytown2 commentedodds are the way they got into your database was by looking at settings.php...
long story short, storing the key anywhere on the system is a bad idea. it creates what most people like to call a security theater; its the illusion of it being secure when in fact its not. If the server or code didn't store the key then this would be %100 better. But then this would be limited to user input only; where they input the key via a form.
Comment #3
zzolo CreditAttribution: zzolo commented@mikeytown
I actually saw Bruce Schneir give a presentation on his Security Theater. I understand your concerns and realize that if someone has access to the DB, there is a high likelihood that he/she would have access to the file system. But the point it is to create multiple points of security, not to create an ultimate security system. There is no actual way to use a secure key without some serious involvement by the user; input by the user for the key does not matter, it is about where it is stored.
I have worked out a system that uses settings.php for keys, and if that is not avialable, it creates a key in the file system, then at last resort, uses drupal private key. I will be committing this tomorrow.
Again, I will not say that this is an ultimate solution to secure data, but it is an actual layer of security, small as it may be (as opposed to none).
--
Alan
Comment #4
zzolo CreditAttribution: zzolo commentedSee: http://drupal.org/cvs?commit=248852
So, I made a much better key system.
If keys are present in the settings.php file, those will be used. If not, when installing, a key file is created (though not really all that secure), and this will be used. If those arent found, the drupal private key will be used. And as a last result, if no key is found at all, then the 'None' method is used.
I have put in a hook_requirement to check for keys in setting.php.
I have also created the ability to have multiple keys in settings.php and in the admin interface the ability to choose different keys. The idea is to not change keys, just add another. This ensures that any previously encoded data will still be retrievable.
Also, in the admin interface, if keys are not found, the ability to change the default key is not presented, and the sample code that should be put into settings.php is presented to user.
I think the major question is if it should be required to have keys in settings.php for the module to install. I personally would say no, and here is why: If the key is not secure, there is no difference between no encryption and this. One of the major goals of this module is to be a dependency module with low entry barrier; so if a module uses it, Encrypt should work with very little user involvement. This basically will make this module more of an ability to have real secure encryption, then actually ensuring it.
What do you think?
Comment #5
zzolo CreditAttribution: zzolo commentedComment #6
zzolo CreditAttribution: zzolo commentedAfter talking with @marcingy some, he suggest just using a file outside the webroot (apache), and looking at Ubercarts Credit Card key storage stuff. So, I will take a look at that.
Comment #7
gregglesYes, exactly. It should be outside the webroot.
I like the idea of multiple modes that degrade. Perhaps it should also be a "hookable" feature so that a site-specific module could be written that does something specific and more secure?
Comment #8
zzolo CreditAttribution: zzolo commentedI am definitively not opposed to the idea of "hookable" keys, but, I would like to think that this module should be the point of the best security, and I am not sure I think its necessary for a 1.0 stable release. Still, hooks are almost always a good thing; there is always the possibility of someone thinking of something that I or others do not.
My plan is to make the ability to put the key in a specified place (suggested outside the webroot), and then the ability for hookable key systems can be a 2.0 feature.
Thanks for your input.
Comment #9
Leeteq CreditAttribution: Leeteq commentedPerhaps a feature request for after the initial stable release, but it would be extra interesting with a possibility for external key storage.
Comment #10
zzolo CreditAttribution: zzolo commentedWill start a new issue for that feature.
I have updated the code to use a key outside the webroot. It would be nice if someone could review the code.
Comment #11
zzolo CreditAttribution: zzolo commentedClosing. I think this issue has been resolved. Any review would be appreciated.