This module adds a new encryption method for the Encrypt framework - it allows you to encrypt data using AWS KMS.
Get Started
This guide assumes you have an AWS account and working knowledge of KMS, and the following resources provisioned in AWS.
- A KMS key
- An IAM user with privileges to encrypt and decrypt using aforementioned key
Ensure this module and its dependencies are available in your codebase.
- https://drupal.org/project/key
- https://drupal.org/project/encrypt
- https://github.com/aws/aws-sdk-php
Enable the Encrypt KMS module.
Ensure your user account has the administer encrypt permission.
Add a new Key - select the KMS Key type and enter the ARN of the KMS key. This is just an identifier, and is completely fine to store in the "Configuration" storage provider.
Add a new Encryption Profile - choose the Amazon KMS encryption method and the key you just created.
Go to the Encrypt KMS configuration form and add your AWS IAM user credentials.
Note: At this point you can use this profile to encrypt data in your system. However, this service isn't designed to handle PII/PHI data.
If you're encrypting PII/PHI you should also complete the additional setup below.
Install Real AES.
Add a new Key - select the KMS Data Key type and choose the encryption profile you created earlier. Select 'AWS KMS' for the key provider and choose the same encryption profile.
Add a new Encryption Profile - choose the Authenticated AES encryption method and the KMS Data Key you created in the previous step.
This setup generates an AES key and encrypts it via the KMS Provider.
When you use this second encryption profile, the only data sent to AWS is the encrypted key to be decrypted.
That key is then used to handle all the encryption operations on the site, so no PII is ever sent to AWS.
Tip: Because Encrypt KMS can be used as a key provider, any secret can be stored in KMS, not just keys.
Great, you are now set up and can start encrypting fields, webform submissions and lots more.
Tip: Use the Key module's configuration override capability to securely store the AWS credentials.
AWS Credentials
There are alternatives to configuring the AWS credentials in the admin form.
settings.php
$config['encrypt_kms.settings']['aws_key'] = 'foo';
$config['encrypt_kms.settings']['aws_secret'] = 'bar';
If you do not explicitly set AWS key and secret in config, it will fall back to:
- IAM Instance Profile
- Exported credentials in environment variables
- The default profile in a ~/.aws/credentials file
See the AWS SDK Guide on Credentials.
Supporting organizations:
20% time
D10 Support
Project information
- Project categories: Security
58 sites report using this module- Created by nicksanta on , updated
Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
