Encrypt is a two-way encryption API module for Drupal. It allows modules to store information in a manner that it can be read if the person trying to read it has access to the key that was used to encrypt the data. This is useful when your site needs to store secret information
There is no native way to do two-way encryption in Drupal. There is also not a very standard way of performing encryption in PHP without extensions. There is not too much need for it, but every once in awhile there is a need to do something like store passwords in a database that you need to retrieve without a user involved, and some other various use cases (keeping secret information secret even if a database dump is lost/compromised). This module aims to make it easy for your module to keep data secured in an extensible way that does not inherently require any other dependencies.
This module is an API (Application Programming Interface) that other modules can use to encrypt data. It doesn't provide any user-facing features of its own (aside from an admin screen to control which keys are used).
At it's core, there are two functions:
// Encrypt data.
$encrypted_text = encrypt('some string to encrypt');
// Decrypt data.
There are currently three (3) encryption methods available by default.
- None: which is obviously not the preferred.
- Basic: A simple mathematical encryption method that does not require any PHP extensions.
- Mcrypt AES 256: If Mcrypt is enabled, you can use this encryption method which is very secure.
A nice feature of this module is that the method of encryption is passed along with the encryption itself. This means that the default encryption method can change for the site, or developers can choose a specific method without breaking previously encrypted data.
Keys and Installation
By default keys are based from the hash that is created for each site in Drupal:
It is highly suggested to use a key file that is outside the webroot. Go to the administrative settings at Admin » Settings » Encrypt to set the path and a key will be generated for you if the file permissions allow Drupal to do so.
Implementing Your Own Encryption
As of 7.x-2.x: Encryption methods and keys are CTools plugins that are documented in the help directory that ships with the module.
Obfuscation versus Security
By default, this module uses a key that is stored in your database while the main use of this module is to store encrypted data in the database. This is actually just an example of obfuscation because if the database itself is compromised all the necessary parts are available to retrieve that data (even if it requires more effort to do that).
When you put your key outside the webroot, the encrypted text and key are now in two distinct parts of the system which will have a lot less likelihood of being compromised at the same time. It is still important to know that this module does not make your data completely secure from being decrypted since a dedicated attacker could try to use brute force to decrypt the information. The module does allow a level of security that Drupal does not inherently provide and in fact there are many levels that need to be thought about to have fully secure data.
Roadmap and maintenance
Currently the module seems stable, but it is still pretty young and unused. The 1.x branch will no longer get features and the 2.x branch is nearly ready to replace the 1.x as the stable version. The 6.x-1.x branch will still be supported for some time after the 7.x-2.0 release, but it is in "maintenance mode."
- 2.x: . The 7.x-2.x branch is stabilizing, but still in flux, and should only be used in production environments if you are closely following. Upgrade paths between alpha and beta releases on this branch are not guaranteed.