The “Key” to Drupal Security

In our everyday lives we all have the desire to keep our possessions secure. We have home security systems, deadbolts, padlocks, and RFID locks at work. But no matter how secure the locking mechanism, it’s only as strong as they key we use to unlock it. Websites and the data they collect and share are no different.

From the moment we create our sites we are confronted with the need for keys; connecting to the database requires a password, setting up an administrator account requires one as well and Drupal even creates for itself a unique salt to be used for password management. We take the utmost care from the beginning stages by creating secure passwords to protect access to our site, but why should our protection stop at the perimeter? Even though there is a lock on the front door doesn’t mean a safe inside the house for our valuables is unnecessary.

Drupal has a great reputation for perimeter security. Constant code reviews by some of the brightest minds create a platform any enterprise can rely on to build mission critical systems.  Yet while the secure codebase may help prevent intrusion, there is still the need as developers and site builders to protect the valuable data we collect, process and store. During our session at Drupalcon Barcelona David Strauss, Luke Probasco and I discussed how to have a “Defense in Depth” approach to site security. We discussed how the perimeter is good, but protecting the data and code is critical as well. The best method to protect data is to not keep it (or even handle it), however that is not always possible and it’s in these cases we need to encrypt the data to keep it secure. In addition to encryption, the keys many people don’t realize they need to protect until it’s too late are API keys, which are used to authenticate your website to other sites and services (like MailChimp, AWS, PayPal etc.). A proper defense-in-depth approach will secure the perimeter, encrypt the data, and protect external communications.

Drupal Key Management

To many developers, encryption can be a scary thing. Together with the folks at Townsend Security, and a dedicated community of contributors we have been making great strides in making the Encrypt module approachable for anyone to use while making it more secure. Encryption is only as good as the key used in the process though. Which is why we decided to create a module specifically for key management, aptly named Key.

Key is a pluggable module that routes key requests to secure key storage. Out of the box it offers the ability to store keys in the settings.php file so it can be tracked for change using change management, or in a file that can reside anywhere in the system (preferably outside the site root). While these are two “stronger” options than storing the keys in the database, they are still doing the proverbial “taping the key to the front door”. Once someone has access to your server, they have the keys to your data.

We do all we can to keep the perimeter secure, but we have to expect people will still get in. I recently sat in a meeting with a Fortune 50 company security team and was told they plan on the entire codebase and database being compromised. With a near limitless budget on perimeter security, they still understood access to the codebase and database was inevitable. This is why from PCI DSS to HIPAA to government regulations worldwide state that proper key management is critical to secure data. Their recommendations all state that for a key to be properly managed, it must reside in an environment physically separate from the one that is using it. The Encrypt module can now leverage the Key module and the plugins available to it to finally allow Drupal to meet best security practices of separating the keys away from the data they encrypt.

API Keys Matter Too

While the data we encrypt and store on our sites is important to protect, that’s only a part of key management. While creating the Key module, we started thinking holistically about keys within Drupal. More and more the sites we build are just part of a larger ecosystem. We are constantly connecting to transactional email services, CRMs, payment gateways, data warehouses and analytics systems. If these connections are as business critical as our protecting data, why should they be treated any different?

This is when we found the shocking truth: Drupal had no standard way of managing keys for modules. Many times modules use the FormAPI to collect these keys (or worse private passwords) but turned around and stored them in the database. This means every copy of your database, whether in the hands of a developer or a hacker not only had the sensitive data it contained, but all the information necessary to connect to your business critical systems. Though it may not contain sensitive data, to a business, the possible repercussions of a lost key are just as devastating.

By routing all keys within Drupal to a central key management location, it is now possible to have total control over all encryption keys, API keys, external logins and any other value needing to remain secret. This gives developers and site builders a useful dashboard to quickly see the status of every key, and control where it is stored.

Lockr: Key Management Made Easy

So now that we’ve made the Encrypt module easy to use, created the Key module to begin centralizing and managing keys better, we are still left with the critical issue: how do I store them securely. Options such as Townsend Security’s Key Connection are squarely aimed at those needing and willing to take control of their offsite key environment. But what about those who need a solution, but don’t want to (or can’t afford to) manage their keys on their own?

This is what led us to create Lockr, the first managed key storage available to Drupal. Plainly put, Lockr is proper key management made easy. Using Townsend Security’s proven key management at the core, Lockr provides a simple-to-use plugin for the Key module which allows for offsite storage in a secure hosted server. Working with the team at Pantheon, we have come up with a way to secure the communication and storage of the key without anything more than an email address of the account owner for setup.

When a key is requested, or sent, to Lockr the transmission is signed by an X.509 certificate provided by Pantheon’s servers. This signature not only allows for secure encrypted transmission of the key to Lockr’s servers, but it identifies the site and environment from which it came. Lockr then uses this information to obscure the keys to securely store and retrieve it at a later time. This obfuscation of the key identity is crucial, it prevents Lockr from knowing anything about the keys it stores, only your site can unlock the key name and value. Also, by using the site environment as part of the key storage process, it is also now possible to set production keys and development keys separate, the implications of which are HUGE.

If you are encrypting sensitive information in your production environment, that data should not be decrypted anywhere but in production. Yet if your key follows your code or database, every time you clone from production into a development environment, the ability to get to the sensitive data comes along with it. Using Lockr, data is encrypted in production using a production key that is not retrievable outside that environment. When a database is cloned to development the keys that Drupal has access to cannot decrypt the data. All the while development into using the encryption modules and methods remains untouched, just with a non-production key. Now you’re able to not only keep your keys safe, but your data even more protected.

Most developers know of a time when they mistakenly triggered an email to go out to a production account, or crossed development data into a production environment. It happens to the best of us. Using Lockr virtually eliminates the possibility of these potentially costly mistakes from occurring. Developers can test workflows without the concern of using a production key and business owners can rest assured they won’t have to deal with the potential blowback of any mistakes in development.

Lockr is now exclusively available on Pantheon. We followed their lead by allowing free use of the Lockr for all development environments. With the Key module, Lockr and Pantheon, your keys are now more secure, and so is your data. So what are you waiting for? Give it a try today!