Can You Keep a Secret?

PUBLISHED ON 16/11/2017 — WEB DEVELOPMENT, DEVOPS

Every Drupal application has its secrets - and I dont mean that dodgy code you wrote during an all-nighter. Database credentials, API keys, personally identifiable information - a secret is any data which could cause harm to your organisation if exposed.

This session will introduce the concepts of secrets and secret management, before moving onto practical examples of securely storing secrets in Drupal.

Slides

Resources

Recipe 1 - Store API Tokens in Lockr

Check out the full tutorial I wrote over at PreviousNext’s blog.

Recipe 2 - Encrypt Fields with KMS

  • Requirements
    • Amazon Web Services account
    • KMS Key
    • IAM Credentials that have kms:decrypt and kms:encrypt permissions.
  • Modules

Recipe 3 - Dynamic DB Credentials with HashiCorp Vault

settings.php.ctmpl Template

<?php

{{ with secret "database/creds/drupal" }}
$databases['default']['default'] = [
  'driver' => 'mysql',
  'host' => '127.0.0.1',
  'database' => 'local',
  'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
  'driver' => 'mysql',
  // Dynamic credentials generated by Vault - {{ timestamp }}
  'username' => '{{ .Data.username }}',
  'password' => '{{ .Data.password }}',
];
{{ end }}

Consul Template Command

consul-template -template consul-template/settings.php.ctmpl:app/sites/default/vault.settings.php