Hi,

as far as I can see, the keydata is stored unecrypted in the database. Beside a serialization of the token data, no care us undertaken to protect the key data.
For a module with the purpose to provide a safe login method, I think it would be better to encrypt the token data, if for example the aes module is installed: http://drupal.org/project/aes.

attached the few lines of code, which would be needed.

Best

Files: 
CommentFileSizeAuthor
encrypt-data.patch807 bytesMartin Klinkigt

Comments

Status:Active» Closed (duplicate)

Status:Closed (duplicate)» Active

Apparently aes module does more than providing encryption, see #1762716: separate password viewing feature from rest of module

Are there alternatives?

Yes this is right. The module offers more than only encryption.This might be due to, that at least some install it.
But I read that http://drupal.org/project/encrypt also uses AES and both modules want to merge together (http://drupal.org/node/607918).

My decision for AES was, that it is user more often and so might be more mature.

Until these two merge together, we might can offer encryption with both. I think a module which really only makes encryption is hard to find, since this module will attract much attention for the maintainer. But doing such encryption again in the GA Login code is also not so good I think. The important encryption seed should not be stored in the database, but on the harddisk. This is was AES offers. Setting this up takes quite some lines of code. Furthermore, the best is to use the mcrypt php extensions. But not all servers have this installed. AES takes care to find all needed libraries and makes its on local php encryption if it cannot find mcrypt. To copy such code is also not good I think.

Therefore, because for good encryption several elements are needed and maybe its own maintainer, I think an specialized module is the best.

best regards

Assigned:Unassigned» attiks

I'll try to have a look later today

Status:Active» Fixed

Added support for AES en Encrypt in latest dev version.

Hi,

sorry for my late reply. It is great to see, that this one is addressed. I think even if there will be a change in the encryption modules, it is better practice to encrypt such important data as the secret.

Keep up the good work and best regards,
Martin

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.