Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
as far as I can see, the keydata is stored unecrypted in the database. Beside a serialization of the token data, no care us undertaken to protect the key data.
For a module with the purpose to provide a safe login method, I think it would be better to encrypt the token data, if for example the aes module is installed: http://drupal.org/project/aes.
attached the few lines of code, which would be needed.
Best
Comment | File | Size | Author |
---|---|---|---|
encrypt-data.patch | 807 bytes | Martin Klinkigt | |
Comments
Comment #1
Jelle_S#1768386: Key data stored unencrypted
Comment #2
Jelle_SComment #3
attiks CreditAttribution: attiks commentedApparently aes module does more than providing encryption, see #1762716: separate password viewing feature from rest of module
Are there alternatives?
Comment #4
Martin Klinkigt CreditAttribution: Martin Klinkigt commentedYes this is right. The module offers more than only encryption.This might be due to, that at least some install it.
But I read that http://drupal.org/project/encrypt also uses AES and both modules want to merge together (http://drupal.org/node/607918).
My decision for AES was, that it is user more often and so might be more mature.
Until these two merge together, we might can offer encryption with both. I think a module which really only makes encryption is hard to find, since this module will attract much attention for the maintainer. But doing such encryption again in the GA Login code is also not so good I think. The important encryption seed should not be stored in the database, but on the harddisk. This is was AES offers. Setting this up takes quite some lines of code. Furthermore, the best is to use the mcrypt php extensions. But not all servers have this installed. AES takes care to find all needed libraries and makes its on local php encryption if it cannot find mcrypt. To copy such code is also not good I think.
Therefore, because for good encryption several elements are needed and maybe its own maintainer, I think an specialized module is the best.
best regards
Comment #5
attiks CreditAttribution: attiks commentedI'll try to have a look later today
Comment #6
attiks CreditAttribution: attiks commentedAdded support for AES en Encrypt in latest dev version.
Comment #7
Martin Klinkigt CreditAttribution: Martin Klinkigt commentedHi,
sorry for my late reply. It is great to see, that this one is addressed. I think even if there will be a change in the encryption modules, it is better practice to encrypt such important data as the secret.
Keep up the good work and best regards,
Martin