Nick Santamaria presenting at DrupalSouth Auckland

Every Drupal application has its secrets - and I don’t mean that dodgy code you wrote during an all-nighter. Database credentials, API keys, personally identifiable information - a secret is any data which could cause harm to your organisation if exposed.

This session will introduce the concepts of secrets and secret management, before moving onto practical examples of securely storing secrets in Drupal.


Unfortunately the recording doesn’t include the slides, see below if you would like to reference them.



Recipe 1 - Store API Tokens in Lockr

Check out the full tutorial I wrote over at PreviousNext’s blog.

Recipe 2 - Encrypt Fields with KMS

  • Requirements
    • Amazon Web Services account
    • KMS Key
    • IAM Credentials that have kms:decrypt and kms:encrypt permissions.
  • Modules

Recipe 3 - Dynamic DB Credentials with HashiCorp Vault

settings.php.ctmpl Template


{{ with secret "database/creds/drupal" }}
$databases['default']['default'] = [
  'driver' => 'mysql',
  'host' => '',
  'database' => 'local',
  'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
  'driver' => 'mysql',
  // Dynamic credentials generated by Vault - {{ timestamp }}
  'username' => '{{ .Data.username }}',
  'password' => '{{ .Data.password }}',
{{ end }}

Consul Template Command

consul-template -template consul-template/settings.php.ctmpl:app/sites/default/vault.settings.php