This project is not covered by Drupal’s security advisory policy.
If you want to use this module, your options are:
- Choose another, actively maintained module instead
- File an issue in the queue with a patch to fix the module and then contact the security team to have your version reviewed and the project handed over to you following the unsupported project process.
- Hire someone to fix the security bug so the module can be re-published (see this guide on how to hire a Drupal site developer)
Important: Migration to Real AES Module
This module implements a weakened AES encryption method and can leave data at risk of being decrypted. It is not recommended for use, instead it is recommended to migrate and use the Real AES module.
- Put your site into Maintenance Mode.
- Create a backup of all files and your database.
- Disable and delete the AES Module but DO NOT UNINSTALL. If you uninstall the module, it will remove the key and all encrypted data will be permanently lost!
- Download and Install the Real AES (and AES submodule).
- Download and Install the Key module.
- Create a new 128 bit encryption key. A good way to do this is in the command line using openssl: openssl rand -base64 16 > encryption.key
- Create a Key profile in the key config, naming it “Real AES Key”. Be sure to check the machine name matches “real_aes_key”. Be sure to check the box saying it is base64 encoded. You can upload the new key file to your server in the same location as your previous key file and , which should be outside the webroot and the file permissions set accordingly. Otherwise you can use the Key module to store the key in an external key manager.
- Test any functions using encryption. The data should decrypt and encrypt properly.
- Remove your site from Maintenance Mode.
Old module description for record keeping:
In short, here's what this module does:
For site owners:
This module can provide you with readable passwords. Some users will be able to see other users passwords in plain text if they have a role with the permission to do so.
This module can provide you with a very simple and easy to use encryption API. Just check out the aes_encrypt and aes_decrypt functions. It really can't get any simpler.
In a nutshell:
$encrypted_data = aes_encrypt("mydata"); $decrypted_to_plain_text = aes_decrypt($encrypted_data);
Note: This module requires an AES implementation, which can be either the PHP Mcrypt extension or the PHP Secure Communications Library.
The Mcrypt extension needs to be installed on the web server, so if you're on a shared host you probably can't use this if it's not already installed (you'll find out if you have it or not when installing this module).
If you don't have Mcrypt, then grab a copy of PHP Secure Communications Library (phpseclib) from here: http://phpseclib.sourceforge.net/
Just extract that zip into a directory called "phpseclib" inside the AES module directory and you should be good to go.
The two implementations are pretty much equivalent, although Mcrypt is faster and offers the option of defining the encryption cipher, so you probably want to use that if you have it.
This module and it's main functions (aes_encrypt, aes_decrypt) are designed to behave in a consistent way no matter which implementation you are using. There are a few small exceptions though. Check out API.txt if you would like to know what they are.
This module also allows you to switch between implementations (or change any of the other encryption options) without losing your already encrypted user passwords. However, take care not to switch implementations or change the cipher or key while you have another module installed which has this module as a dependency, since this module isn't aware of what data (if any) that other modules has encrypted, and therefore it can't update it with the new settings.
Drupal 6 and Drupal 7 versions
For both 6 and 7 version of Drupal core the AES module is quite stable and is maintained mostly only for fixes.
Drupal 8 version
Drupal 8 version is basically just a simple port. With all new stuff available with Drupal 8 there is an idea of not supporting this module in favor of unified solution by modules Key & Encrypt. If this idea succeeds, Key+Encrypt pair would be able to support any encryption in generalized way.
In case you plan to use AES for a while, be aware that it requires 'active' configuration to not store keys in DB. More info about the 'active' configuration can be found here.
This module was originally developed for 6.x by easyfit, and was maintained briefly by EvanDonovan, primarily for 7.x, since it was a requirement for the Salesforce Suite prior to the new 7.x-3.x branch.
During January 2014 - July 2016 module was maintained by dpovshed
- Maintenance status: Seeking new maintainer
- Development status: Maintenance fixes only
- Module categories: Administration, Developer, Security, User Access & Authentication, User Management
- Reported installs: 6,366 sites currently report using this module. View usage statistics.
- Downloads: 55,089
- Last modified: 22 March 2017
- This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.