Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Fields can be encrypted "to help thwart identity theft if access to your database becomes compromised." However, the encryption key itself is stored as a variable in the database. If the database is compromised, wouldn't the attacker be able to retrieve the key and then decrypt the data? Am I missing something?
Comments
Comment #1
john.money commentedHrm... I have to think some on how to store the key while still enabling some degree of ease of configuration. But you're right.
Comment #2
vector0319 commentedMaybe you could store the key in the settings.php file like the encrypted_text module does? Would allow for at least a little more security in that they have to get access to the db and the file system.
Jeremy
Comment #3
threexk commentedagree with vector0319. If not settings.php, some file outside the database that normally should be protected.
Comment #4
john.money commentedExcellent idea. Will implement shortly. Thanks.
Comment #5
chrisschaub commentedThe file should be stored above the docroot, in a folder that has read only perms after it is created, like settings.php. Ubercart does this with a key file directory and keyfile.
Comment #6
john.money commentedFixed in release 2.0
http://drupal.org/node/425596
Comment #7
john.money commentedComment #8
john.money commented