By budda on

A new custom field for use with Flexinode content types.

The encrypted field provides two levels of security for text-based data being stored on your website.

Individual encrypted fields can have their view access restricted to user role permissions assigned to them.

All data that is stored in the fields is encrypted in the database and decrypted upon viewing or editing the flexinode content.

Users without the correct view access for a certain field in the flexinode can continue to edit the rest of the node without losing the protected data.

This functionality allows users at different levels of authority to work on the same nodes.

Currently available for download from:
http://www.ixis.co.uk/drupal-modules/flexinode-field-encypted

Categories: Drupal 4.7.x

Comments

fago’s picture

fago
Primary language German
Location Vienna
commented

your link say: access denied

is encryption really needed to achieve this!?

budda’s picture

budda
Primary language English
Location Cheshire
commented

Sorry, page is now published.

Not sure what you mean by your questions about encryption?

I used encryption to hide the data in the database so that if somebody stole the SQL they would not have any way to read the sensitive data.

My requirement was for storing username/password pairs on an Intranet.

--
www.bargainspy.co.uk | More Drupal modules

--
Ixis (UK): Drupal support, Drupal hosting.

fago’s picture

fago
Primary language German
Location Vienna
commented

now it's clear to me, what you wanted to achieve.
however - as the key is also stored in database, a attacker would be also able to decrypt the data, if he has access to the sql-data...?

budda’s picture

budda
Primary language English
Location Cheshire
commented

No, the key is not stored in the database for that very point.

It's not a great solution if somebody steals your SQL and the PHP scripts though. I'm very interested in any solutions to the storage of the encryption key though!

--
www.bargainspy.co.uk | More Drupal modules

--
Ixis (UK): Drupal support, Drupal hosting.

aw-1’s picture

aw-1 commented

Hmm it seems the link is dead now. Too bad. I would have liked to see your solution.

budda’s picture

budda
Primary language English
Location Cheshire
commented

Yeah the module needs updating a little and i've just not had time. I might re-make it for CCK one day, and put it on drupal.org hosting instead.

--
Ixis (UK) providing Drupal consultancy and Drupal theme design.

--
Ixis (UK): Drupal support, Drupal hosting.

dado’s picture

dado commented

+1

I might re-make it for CCK

thanks,
dado

dado’s picture

dado commented

The module adds an encrypted text field for CCK module. Uses MySQL's AES_ENCRYPT and AES_DECRYPT function (which use 128 bit key).
See here
http://drupal.org/node/78304

If I don't get direction from CCK maintaners I would release this as a separate module.

budda’s picture

budda
Primary language English
Location Cheshire
commented

Doesn't that require your MySQL install to have the encryption library compiled in? I found that wasn't common on shared hosting.

--
Ixis (UK): Drupal support, Drupal hosting.

dado’s picture

dado commented

i do not find anything about AES_ENCRYPT or AES_DECRYPT requiring special compilation of MySQL. please let me know if i am missing something.

http://mysql.com/doc/refman/4.1/en/encryption-functions.html

AES_ENCRYPT() and AES_DECRYPT() were added in MySQL 4.0.2, and can be considered the most cryptographically secure encryption functions available in MySQL.

PHP's encryption functions (mcrypt) do require special compilation, but I am not using those.
http://www.php.net/mcrypt

rcross’s picture

rcross commented

Hi,

It just dawned on me this morning about the issue/idea of encryption abilities for drupal, so I'm also glad to see someone has already looked at this problem. Was the encrypted field for cck integrated? Has anyone thought about encrypting the entire node? or the node's body?

I have the same issue of storing passwords on an intranet, but also some intellectual property (IP) and other sensetive information that I'm worried about. I'm currently using some of the node access modules to restrict internal viewing of particular information, but the issue of getting access to the database is still important. Even something as potentially benign of having a shared host backing up your information could provide the ability to easily see sensitive data.

--Ryan

--Ryan
Ryan Cross
James Cross Construction Services
Project Management Software

budda’s picture

budda
Primary language English
Location Cheshire
commented

I dropped development for the Flexinode version, and there's a CCK field widget available for download on drupal.org now. I've not had time to check it out yet though.

--
Ixis (UK) providing Drupal consultancy and Drupal theme design.

--
Ixis (UK): Drupal support, Drupal hosting.