Problem/Motivation
On a few of my client's sites, we store PII in Webform submissions. I'm currently using this module along with Webform Encryption to accomplish that securely. While we're not storing PHI currently, I try to adhere to HIPAA best practices whenever possible. I was doing some research and came across this article (specifically the section on using KMS to encrypt PHI): https://aws.amazon.com/blogs/security/frequently-asked-questions-about-h...
Basically the way this module currently functions isn't HIPAA compliant, because it's using the KMS encrypt/decrypt methods to process the data directly. The way we'd need to use KMS, in order to be HIPAA complaint, would be to create a second key, encrypt/decrypt it with KMS, and then use that local key to handle the encryption/decryption of any PHI data.
Proposed resolution
The patch I've written to solve for this adds two new capabilities to the module:
- A KMS Data Key type that leverage the GenerateDataKey function to create an AES key.
- A KMS Key Provider that accepts any key, stores the encrypted local copy, and leverages KMS to handle decrypting the key when needed.
Both of the above features require being pointed to an Encryption profile that uses Amazon KMS to work. With this approach, I can generate a data key, store the encrypted key locally, and leverage another encryption module (like RealAES) to handle the actual processing of the webform information. There's no impact to existing installs of the KMS module, it's purely optional functionality for anyone that needs it.
Comment | File | Size | Author |
---|---|---|---|
encrypt_kms-provider-and-data-type.patch | 9.18 KB | jacobbell84 | |
Issue fork encrypt_kms-3117505
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
jacobbell84 CreditAttribution: jacobbell84 at ZenSource commentedComment #3
jdsl CreditAttribution: jdsl commentedDear jacobbell84, was your patch accepted and it is merged in the latest version of "Encrypt KMS" module?
Thanks in advance,
Comment #4
jacobbell84 CreditAttribution: jacobbell84 at ZenSource commentedHi jdsl, it hasn't been. For me it's been working fine on the beta1 release of the module. I haven't specifically tested on the latest dev version, but based on the commit it should work. I don't see anything at first glance in the patch that would cause issues with D9, which is the only change between the dev branch and the current beta1 release.
Comment #7
jacobbell84 CreditAttribution: jacobbell84 at ZenSource commented