Welcome to our support section! Lockr is an easy-to-use plugin for your website and application, but even the most savvy developers occasionally run into challenges. Below are some resources to help guide you through the installation process.

Frequently Asked Questions (FAQs)

How Does Lockr work?

Lockr allows you to remove the key from your site code and/or database, encrypt it, and store it in a secure and certified cloud key manager. When your site or application needs the key for an encryption/decryption or API request, Lockr securely retrieves the key, decrypts it, and passes it to be temporarily used.

Can Lockr Be Used By Non-CMS Applications?

Yes! Non-CMS applications can easily integrate with Lockr using our API. The API supports creating authentication certificates and saving/retrieving key values. We currently offer a php library on Packagist. If you have another language you’d like to see a library built in, contact support and we’d be happy to help.

What Types Of Keys Does Lockr Manage?

  • API keys for e-commerce services such as: PayPal, Stripe, Square, Authorize.net, FedEx, UPS, etc.
  • API keys for email and marketing service providers: MailChimp, SendGrid, Campaigner, HubSpot, Gmail, Office365 and other SMTP mail servers.
  • Access tokens for cloud services like Amazon Web Services, Azure, Google Cloud, SalesForce, Zoho and more.
  • Keys used for encrypting data on your website (Need an encryption key? Let Lockr create one for you though the API).
  • LDAP and SSO authentication credentials (is this the same as tokens or should we call them out uniquely?)

How Is Lockr Different From Other Key Management Systems?

Lockr makes key management simple, secure, and carefree by taking all the hard work and monitoring on leaving you to focus on your site / application. Lockr sets itself apart by encrypting the keys prior to leaving the site or application. This process, called key wrapping, encrypts the key while it is still in your website / application. Key wrapping prevents keys stored in Lockr from being viewed or compromised outside of your website / application (Lockr cannot see your key values - EVER) In addition to these steps, the wrapped keys are always transferred via secure HTTPS connections and stored in Townsend Security’s FIPS 140-2 compliant key manager, making them secured to the highest of industry standards.

Lockr also introduces the concept of managing keys on a “per environment" basis, which helps eliminate the potential of keys being shared from production to development environments. No longer will you have to worry about sending a test notification from development to production users, or having production data decrypted in development environments.

Is Lockr Safe?

Yes! Lockr can be used to secure any API key, application secret, encryption keys and other types of credentials. Once enabled in the CMS, keys entered into Lockr are wrapped (encrypted) and then sent over an encrypted connection to the Lockr system. Many times the credentials used to access Lockr are provided by the site host or application platform to prevent hijacking and tampering. This prevents unauthorized access and also enables the separation of development and production environments. Using certificates, either by the hosting provider or ones issued by Lockr, allows for secure authentication without passwords or tokens. These certifications expire, can be revoked and are automatically renewed making managing access simple and secure. Using key wrapping (see above), keys are rendered useless from being used outside the website or application environment. Everyone, including Lockr, is unable to get the values of your key.

Will Developers Be Able To Access My Keys?

Only if you want them to. Lockr has isolated development and production environments and working with your hosting provider, or with custom certificates from Lockr, developers can be restricted to only access keys in the development environment.

If you're encrypting sensitive information in your production environment, that data should not be decrypted anywhere but in production. With Lockr, data encrypted in production with a production key is not retrievable outside that environment. This is because Lockr is aware of what environment a request is coming from and uses entirely different key storage environments for development and production keys. When cloned to development, the keys that development environment has access to cannot decrypt the data.

Who Do I Contact For Lockr Support?

You can email the Lockr Support Team at support@lockr.io or get real-time support on Lockr's Slack channel.

Who Can Access Key(s)?

The only access to the encrypted keys stored in Lockr is given to a request signed by the certificate used to save that key. Using a proprietary method, Lockr routes and stores keys using a “fingerprint” based on the access certificate which prevents anyone with a valid certificate getting a key belonging to another account.

Since keys are encrypted with AES-256 before they are ever transmitted to Lockr there is no way for Lockr to access key values. We’d have to bend the rules of physics and math in order to do read a key value.

Where Are The Key(s) Stored?

Once transmitted to Lockr, encrypted key values are routed to a highly redundant cluster of cloud Hardware Security Modules (HSMs) for storage based on the environment and region desired for that key. Lockr runs isolated US and EU clouds to ensure storage meets regulatory standards and are positioned as close to your site / app for performance. Lockr is backed by Townsend Security Alliance Key Managers, which are FIPS 104-2 validated and NIST compliant, ensuring the highest level of industry standards.

How Can I Tell What My Key Usage Is?

This is not a feature available yet on the customer dashboard. If you’d like to know you’re most up to date usage, always feel free to reach out to our support team support@lockr.io or on our slack channel.

What Happens If My Site / Application Gets Hacked?

If your site is hacked, usually the first thing a hacker does is make a copy of the environment they’re in. This means they grab a copy of your database if it is a SQL exploit or a copy of the server if it’s a server breach. Each of these environments do not alone have the ability to expose a key stored in Lockr. The database stores the secondary key, used in the key wrapping process, but by itself this key is useless. Likewise the server environment holds the connection certificate, but without the ability to unwrap (decrypt) the value given back from Lockr the value is rendered useless. Additionally, certificates can be revoked and re-issued. By revoking a certificate, a hacker will no longer be able to access the encrypted values stored in Lockr.

By isolating the various pieces necessary to get the true key value, it greatly reduces the chances a hacker will be able to access your keys.

What Happens If Lockr Gets Hacked?

In the unfortunate situation where Lockr itself is hacked, we’ve taken the necessary steps to isolate systems to keep your keys safe. By going through the key wrapping within your site or application, by the time Lockr has the key it is not longer in a usable form. This means that even if a hacker gained access to Lockr’s HSMs they would be unable to get access to the true keys stored within. Additionally, by using our proprietary fingerprinting methodology even the name of a key is not decipherable.

Access to the Lockr database is worthless as all values within it are enrypted with keys we don’t have access to, or are obfuscated using data we don’t store.

Can Lockr Access My Keys?

Since keys are encrypted with AES-256 before they are ever transmitted to Lockr there is no way for Lockr to access key values. We’d have to bend the rules of physics and math in order to do read a key value.

What if I Want To Leave Lockr?

We hate to see you go! However, if you need to leave Lockr, we can either migrate you to another Townsend Alliance Key Manager or provide you with a way to export your keys and unwrap them in your application. Contact support for help in this process.