Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing sensitive data with Drupal

I need to use sensitive data with Drupal for a custom module to use. If I simply set them through the GUI, they will be stored unencrypted in the database. Anyone having access to it will have access to my sensitive data.

I can see two solutions for the moment:

  1. Find a way to securely store those credentials into the database;
  2. Put those sensitive data into a credentials_inc.php file, include it in settings.php to set variables my custom module could use and make sure that nobody else can read the file.

Which solution is best according to you? What do you recommend? Is there any other best option?

Best regards.

like image 692
Korchkidu Avatar asked Apr 29 '11 16:04

Korchkidu


People also ask

How do you handle and store personal or sensitive data?

Tips for managing sensitive dataAny sensitive data stored on a portable or personable device should be password or passcode protected and securely encrypted. This includes data held on USBs, external hard drives, laptops, desktop computers, smart phones, tablets and external servers.


3 Answers

I would start off by using SecurePages module, to make sure the data entered somewhere along the way is not snooped.

Then to encrypt the information try using php's mcrypt with a short example of how to encrypt and decrypt.

Once the information is secured, you should have no problem storing the data in drupal's db structure. Also, an important note, you might check out hook_init() instead of trying to append something in settings.php. That is in general a bad practice.

like image 106
ohmusama Avatar answered Oct 18 '22 19:10

ohmusama


The Encryption module provides an API that supports a few different encryption methods, including mcrypt (if you have it enabled).

like image 22
Matt V. Avatar answered Oct 18 '22 18:10

Matt V.


The Encryption module is an excellent way to encrypt sensitive data within Drupal. However, this module does not provide adequate key management (it stores the encryption key within the Drupal database - like storing the keys to your house under your Welcome mat).

Along with Encrypt, you will also need an additional module like Townsend Security Key Connection which allows you to manage the encryption keys outside of the Drupal database in an encryption key manager (HSM, Cloud, VMware, etc.). Just remember - if you aren't properly managing your encryption keys, you aren't properly encrypting your data.

Full Disclosure: I work with Townsend Security on the Drupal team.

like image 1
geetarluke Avatar answered Oct 18 '22 18:10

geetarluke