Encrypt KMS

This module adds a new encryption method for the Encrypt framework - it allows you to encrypt data using AWS KMS.

This module is experimental and under heavy development, please carefully consider it's suitability for production use in its current form.

Get Started

This guide assumes you have an AWS account and working knowledge of KMS, and the following resources provisioned in AWS.

1. A KMS key
2. An IAM user with privileges to encrypt and decrypt using aforementioned key

Ensure this module and its dependencies are available in your codebase.

• https://drupal.org/project/key
• https://drupal.org/project/encrypt
• https://github.com/aws/aws-sdk-php

Enable the Encrypt KMS module.

Ensure your user account has the administer encrypt permission.

Add a new Key - select the KMS Key type and enter the ARN of the KMS key. This is just an identifier, and is completely fine to store in the "Configuration" storage provider.

Add a new Encryption Profile - choose the Amazon KMS encryption method and the key you just created.

Go to the Encrypt KMS form and configure your credentials.

PROTIP: Use the 8.x-1.5 version of Key module and use their configuration override functionality to securely store the AWS credentials.

Great, you are now set up and can start encrypting fields, webform submissions and lots more.

AWS Credentials

There are alternatives to configuring the AWS credentials in the admin form.

settings.php

$config['encrypt_kms.settings']['aws_key'] = 'foo';
$config['encrypt_kms.settings']['aws_secret'] = 'bar';

If you do not explicitly set AWS key and secret in config, it will fall back to:

1. IAM Instance Profile
2. Exported credentials in environment variables
3. The default profile in a ~/.aws/credentials file

See the AWS SDK Guide on Credentials.

Contribute

Development of this module takes place on GitHub.

Feel free to fork this repo and make pull requests!