THE “KEY” TO BETTER KEY MANAGEMENT WITH DRUPAL
Content management systems (CMS) often use services that require a key or password. A CMS is used for many reasons, some include encrypting and decrypting data, accessing databases, connecting accounts using web services, etc. A site might need to send email, process payments, or import data from a private feed. Those site activities require authentication using passwords or keys. For Drupal sites, the Key module is the best way to manage those passwords and keys.
Let’s take a step back here and talk about how all these things are related. First there are traditional passwords for access to accounts. Then there are long strings of binary data which encryption and decryption algorithms use directly. And there are strings of binary data which software uses to authenticate itself to other software; these are called API keys.
Generally a “password” is something which humans create, or at least which they can type in. They’re relatively short and made of printable characters. A “key” is usually a computer-generated number, 128 bits long or more, that’s randomly generated. People aren’t expected to remember them. Keys and passwords both do the same job. For simplicity let’s call them both “keys” for now.
A simple, but really bad, way is to store the keys in the CMS’s database. Database breaches are common, and they’re much worse when they result in the intruder’s getting keys to a lot of other services. If those other services made the same mistake, there’s no telling how many accounts the attacker can get into. A site that manages their keys this way could be violating legal and/or contractual requirements, this site may be in serious trouble if its key storage turns a local data breach into a much bigger incident.
Think of how a ship is built. It has bulkheads so that a leak in one place won’t sink the whole ship. Key management provides bulkheads against data leaks, so they don’t take everything down with them.
The Drupal CMS offers many advantages over other systems out there, but a basic installation doesn’t include a good way to manage your site’s keys. If you try to manage all the keys you need separately, the result will soon be messy as well as insecure. Fortunately, key management is available. The Key module provides a simple, organized way to manage and protect keys.
With the Key module, keys are stored in the Drupal database. The two key providers are called Configuration and File. The Configuration provider stores the key in Drupal’s configuration settings, which is convenient but not really secure. The documentation recommends not using it in a production environment. The File provider offers somewhat better security, storing keys in a file. It should be a file outside the site’s web root, so that intruders can’t easily find it. A little better, but still not great.
For serious security, other key providers are available as Drupal plugins, and developers can create custom ones. For example, Lockr encrypts the keys themselves and stores them on an offsite server. Storing keys on a separate server means that no matter how thoroughly an intruder gains access to the Drupal site, the keys aren’t there.
The Key module isn’t restricted to using just one provider. Speciality providers are available for specific kinds of keys. For example, the JSON Web Token Authentication provider provides only RFC 7519 keys.
The Key module provides organizing for a large number of keys. You can define key types, which serve several purposes:
- An API call can request only keys for a certain type.
- A key type can specify validation requirements for a key, such as length and permissible characters.
- A key type can specify how keys of that type should be input or generated. The module supports form input of keys.
- If generation is allowed, the key type will specify how to generate a valid key.
These features provide better organization of keys than separate management of each different key ever could.
With the Key module and a good choice of key providers, you can have all your keys well-organized and safely stored. Keeping local breaches from cascading into bigger ones is an important part of data security, and secure key management helps to accomplish that.