Encrypt sensitive values

OrdinaryJellyfish

I think it would be pretty nice if Flarum had a way to encrypt sensitive values, like API keys. It would make the impact of a data breach on any forum as minimal as possible while the admins are dealing with everything. I think it should probably be a core feature of Flarum (because security!!) and use something like Laravel's Encryption. Thoughts? I'd love to help work on it if it sounds like a good idea 🙂

clarkwinkelmann

And where would the key be stored ? If it's on the same server and if Flarum can read it, what is the probability the bad guys get access to it as well ?

I think Laravel encryption was made for encrypting values that will be stored outside of the app's control, like cookies or export files.

Here's some interesting reading:

https://security.stackexchange.com/questions/16939/is-it-generally-a-bad-idea-to-encrypt-database-fields

https://security.stackexchange.com/questions/4755/web-application-encryption-key-management

EDIT:

Also I think API keys are the least of your concern. They can be easily revoked or rotated with minimal effort or impact. Exposed private user data is probably way more problematic.

This will of course depend on which thiry-party services you have API key for in your forum. Right now the extensions we have dealing with API keys are mostly for oauth or readonly data I believe, so probably a limited impact until you're aware of the breach and revoke access.