Storing sensitive data with Drupal

Question

I need to use sensitive data with Drupal for a custom module to use. If I simply set them through the GUI, they will be stored unencrypted in the database. Anyone having access to it will have access to my sensitive data.

I can see two solutions for the moment:

1. Find a way to securely store those credentials into the database;
2. Put those sensitive data into a credentials_inc.php file, include it in settings.php to set variables my custom module could use and make sure that nobody else can read the file.

Which solution is best according to you? What do you recommend? Is there any other best option?

Best regards.

Answer 1

I would start off by using SecurePages module, to make sure the data entered somewhere along the way is not snooped.

Then to encrypt the information try using php's mcrypt with a short example of how to encrypt and decrypt.

Once the information is secured, you should have no problem storing the data in drupal's db structure. Also, an important note, you might check out hook_init() instead of trying to append something in settings.php. That is in general a bad practice.

Answer 2

The Encryption module provides an API that supports a few different encryption methods, including mcrypt (if you have it enabled).

Answer 3

The Encryption module is an excellent way to encrypt sensitive data within Drupal. However, this module does not provide adequate key management (it stores the encryption key within the Drupal database - like storing the keys to your house under your Welcome mat).

Along with Encrypt, you will also need an additional module like Townsend Security Key Connection which allows you to manage the encryption keys outside of the Drupal database in an encryption key manager (HSM, Cloud, VMware, etc.). Just remember - if you aren't properly managing your encryption keys, you aren't properly encrypting your data.

Full Disclosure: I work with Townsend Security on the Drupal team.