Since hashed data cannot be retrieved, have you considered adding the option to encrypt the data rather than hash the data. This way, the data could easily be decrypted/retrieved but STILL be stored securely in the database. The decryption key could be placed in a file outside of the web root.
Right now I am testing your module to store data in plain text so that I can retrieve it (via automated PHP scripts) and do some processing. Since the data would contain information such as email addresses, I would prefer to have this information encrypted.
Any thoughts/suggestions would be greatly appreciated!
| Comment | File | Size | Author |
|---|---|---|---|
| #12 | cckpassword-aes.patch | 7.7 KB | caktux |
| #8 | encrypt.patch | 16.79 KB | mkinnan |
| #4 | encrypt.patch | 16.81 KB | mkinnan |
Comments
Comment #1
hefox commentedI'm not actually using my own module.. aka I'm welcome to any good patches, ideas, etc. but not interested in looking how to implement it at the moment.
There is a hook system for defining storage methods/callbacks (and even adding extra columns if need more than one column in the databse), so you could also expand on it in a submodule, but again, perfectly happy for a patch to the module.
Comment #2
mkinnan commentedI will look into it to see if it is something I can do.
Comment #3
mkinnan commentedI am currently modifying the DEV version of the module and will hopefully make a patch in the next few days (to a week). The module will offer an additional option to MD5 or plain text called encryption. The data will be encrypted using a key and stored in the database. In order to access the stored data (remotely via a PHP script), you will have to use a decrypt function along with the key.
Right now, I have a working module that does just that.
The encryption ability will not be a plug in play feature for users because you will have to have some knowledge on how to write code to decrypt the data. But, I will include a basic script illustrating how to access the encrypted data and then unencrypt it.
Just wanted to keep you up to date.
Comment #4
mkinnan commentedAttached is the patch. I included the encryption/decryption functions from http://www.tonymarston.net that I used. Since that code falls under GNU terms, I don't think it could be included in the module and users would have to download it manually from:
http://www.tonymarston.net/php-mysql/showsource.php?file=std.encryption....
If you like the encrypt option and see potential, I can re-roll the patch without Tony's functions.
Anyways, the patch gives another option to Encrypt the data instead of plain text or MD5 the data. I also added a CCK Password site configuration link for the location of the keyfile. There are also permissions to administer for defining the location of the keyfile.
In order to retrieve the encrypted data, I included an example php script that queries the database, decrypts the data, and prints it to the screen.
Comments and criticisms are welcome. This patch fits my needs, so if it doesn't have potential for CCK Password that's ok :-)
Mark
Comment #5
mkinnan commentedI would also need to write up some instructions for the readme file if you wanted to include the encrypt option in CCK Password.
Comment #6
hefox commentedFrom a brief look see, looks good, but still need to test it out. Marking it as needs review to reflect that.
Thank you! :)
Comment #7
hefox commentedJust a few comments from looking a bit closer
I think the last line is missing a variable_get? XD
Variables can be stored in settings.php, so instead, instructions in how to see default.settings.php/settings.php for instructions on how to store variables in code.
require_once, or module_load_include.
Going to ask around about whether we can include the file or not; I am not up to par with it, but may be best play it safe and instruct users on how to download the file. Do you know what version of GPL (GNU public licenscne) it is? http://drupal.org/licensing/faq#q10
edit: Talked to someone in IRC. 1 and 2 are basically compatable and the softwhere was unintally created before 3 was released, making it likely either 1 or 2, so it should be okay to include it.
Since we are also allowed to modify it, it would be nice to have the file comply with coding standards regarding spaces/bracket use; extra space bothers me and makes it harder to read code.
Comment #8
mkinnan commentedYea ... I completely goofed leaving out $key_file variable, lol. I originally had the script hardcoded for the location and forgot to go back and change that part to variable.
I also changed both instances of require to require_once.
As far as the encryption function file, I will leave it as is for this patch while I investigate methods to automatically make the code to drupal standards. I don't think the the coder module does it automatically.
That is good news we can include and modify the encryption functions!
I tested the module and patch, and it worked for me.
Something I would like to do, but not sure how is to make sure the key file variable is set BEFORE a user is allowed to select the encrypt option for the CCK password field.
Mark
Comment #9
mkinnan commentedI noticed a problem with my patch. After patching, the user is not shown the checkbox to 'Delete current password' once data has been entered. Even for the other plain text and drupal password options, the checkbox does not show up anymore. I cannot seem to figure out why in the code it is not showing up anymore.
Comment #10
szantog commentedJust a little thing: After saving the administration form, need to check the keyfile. Not only if it exist. I get an error it contains invalid character in keyfile. Need to check the $crypt->errors array too.
If I will have time, i will make it.
Comment #11
giorgio79 commentedWhy not integrate it with an existing encrypt module like
http://drupal.org/project/aes
Comment #12
caktux commentedHere it is, full integration with the AES module. Also added textarea support so you can securely store SSH keys or SSL certificates.
Comment #13
hefox commentedcaktux: you got commit access and administer releases permission, do whatever you want :)