encrypted_login
In standard Drupal login forms, passwords are transmitted from the browser to the server as plaintext (only protected by HTTPS). This creates potential security vulnerabilitie
Encrypted Login module implements a robust hybrid encryption system that combines the security benefits of both RSA and AES encryption to protect login credentials in your Drupal site. This approach ensures maximum security by using asymmetric encryption for key exchange and symmetric encryption for credential transmission.
Key Features
- Hybrid Encryption System: Combines RSA-2048 for key exchange and AES-256-CBC for credential encryption
- Client-Generated AES Keys: Each login attempt uses a unique AES key generated in the browser using Web Crypto API
- Asymmetric Key Security: RSA public/private key pair ensures secure key exchange
- Zero Server Storage: No encryption keys are stored in the database
- Perfect Forward Secrecy: Each session uses a new encryption key
- Seamless Integration: Works with Drupal's standard login form
- Fallback Security: Maintains HTTPS security as a backup layer
Technical Implementation
1. Initial Setup
- Module generates RSA-2048 key pair during installation
- Private key stored securely in Drupal's state system
- Public key made available through secure endpoint
2. Login Process Flow
- Key Exchange:
- Client requests RSA public key from
/encrypted_login/get_public_key - Server provides RSA-2048 public key
- Client requests RSA public key from
- Client-Side Encryption:
- Generates random AES-256 key using Web Crypto API
- Encrypts password using AES-256-CBC with random IV
- Encrypts AES key using RSA public key
- Data Transmission:
- Sends encrypted AES key
- Sends IV + encrypted password
- Original password field cleared
- Server-Side Processing:
- Decrypts AES key using RSA private key
- Uses AES key to decrypt password
- Processes normal Drupal authentication
Security Benefits
- Multiple Encryption Layers: Two independent encryption systems protect data
- No Stored Keys: AES keys are ephemeral and never stored
- Forward Secrecy: Compromised sessions don't affect past or future logins
- Defense in Depth: Security maintained even if HTTPS is compromised
- Protection Against:
- Man-in-the-middle attacks
- Network packet sniffing
- Replay attacks
- Transport layer compromises
Technical Requirements
- Drupal 10.x or 11.x
- HTTPS enabled (required for security)
- Modern browser with Web Crypto API support
- PHP with OpenSSL extension
- Minimum PHP version: 8.1
Installation
- Install via Composer:
composer require drupal/encrypted_login
- Enable the module:
drush en encrypted_login
- Verify RSA key generation in status report
- Configure any optional settings
Best Practices
- Key Management:
- Rotate RSA keys every 6 months
- Secure backup of private keys
- Monitor key usage and errors
- Security Monitoring:
- Regular log review
- Decryption failure alerts
- System performance monitoring
- General Security:
- Keep Drupal core updated
- Implement brute force protection
- Regular security audits
Troubleshooting
- Common Issues:
- RSA key generation failures
- Browser compatibility issues
- Decryption errors
Support and Contribution
This module is actively maintained and welcomes community contributions. For issues, feature requests, or contributions, please visit our project page on Drupal.org.
Future Enhancements
- Automated key rotation
- Additional encryption algorithms
- Enhanced monitoring tools
- Performance optimizations
Get Started
Enhance your Drupal site's security today with the Encrypted Login module's hybrid RSA/AES encryption system!
Note: While this module significantly enhances login security, it should be part of a comprehensive security strategy including strong passwords, server hardening, and regular security updates.