Drupal

Securing environment variables in Drupal with the Key Module

Security key
by Aziza Anwari 11/12/2024

Handling sensitive information obviously presents a problem when it comes to protecting it during the development and deployment stages in Drupal. But don’t you worry; we've got your back! We are going to walk you through how to use the Key Module together with environment variables to manage sensitive data securely, so you don’t have to worry about exposing it in your codebase. We’ll also include some best practices for locking everything down through all environments from dev to production.

Are you ready? Then let’s dig in!

Why would you use the Key Module with environmental variables?

Really, think about it: storing sensitive information inside of your codebase is like opening the door for anyone to just peek in. Yikes. 

Use the Key Module along with environmental variables to ensure that sensitive data is kept safe and locked away from version control, thus making it easy to manage across different environments. You’re basically keeping things clean and neat and, most importantly, secure.

 

Step 1: Install and configure the Key Module

The first step is to install Key Module. The simplest use for the installation of the Key module is to use Composer. Execute the command:

composer require drupal/key

Once you have installed the module, you can find Keys inside Configuration > System > Keys in the Drupal admin panel. You can create a new key here. For added security, select the "Environment variable" as the key provider. In other words, sensitive values such as API keys will no longer be hard-coded in your code, but rather will be fetched by Drupal directly from an environment variable on your server.

For example, let's say you have to set an API key called MY_API_KEY. You can configure it in Drupal to use that variable name, and then whenever it's fetched in Drupal, the value will be pulled from the server.

 

Step 2: Setting up environment variables

You will need environment variables on both local and server instances. Here’s how you can do it:

Locally (for Development):

The simplest method to define environment variables locally is by using a .env file. Here are the steps:

  1. Create a .env File: In your project root (or in the .ddev or .lando folder if you're using DDEV or Lando), create a .env file.

  2. Add Your Environment Variable: Inside the .env file, define your key:

    MY_API_KEY=your_actual_api_key

  3. Exclude from Version Control: You certainly don't want to accidentally commit this file. Add .env (or the .ddev/.env or .lando/.env in snippets below if you're using DDEV or Lando) to your .gitignore file:

    echo ".env" >> .gitignore

Once that's taken care of, if you're working with DDEV or Lando, make sure to restart them to apply the changes with DDEV restart or Lando rebuild.

On the Server (for Production):

For production environments, never use .env files, set your environment variables directly on the server.

 

Step 3: Accessing the key in your code

Now that everything’s set up, it is time to use the key in a secure way within your code. You can access the value like this:

$api_key = \Drupal::service('key.repository')->getKey('API Key')->getKeyValue();

As an example, we will use this key in making an API request. You can do something like this:

$client = new \GuzzleHttp\Client();
$response = $client->request('GET', 'https://api.example.com/data', [
   'headers' => [
       'Authorization' => 'Bearer ' . $api_key,
   ],
]);

Boom! Your key is safely retrieved, and your code stays clean and secure. There is no sensitive information shared anywhere!

 

Extra security tips

Want to take your security game to the next level? Try these tricks:

1. Automate security checks and key audits

You don’t want to leave things to chance. Add tools like Drutiny or Tripwire into your CI/CD pipeline to keep an eye on your keys. If anything changes unexpectedly, you’ll be the first to know. And to make sure no one is sneaking around, log key access with Watchdog (Drupal’s logging system) to track who’s accessing what.

2. Role-based access control (RBAC)

Don’t let just anyone manage your keys. In People > Permissions, you can control which roles can access or modify the keys. For added security, you can even set roles to read-only, so users can’t make changes - just use the keys!

 

Wrapping It Up

The Key module combined with environment variables is a game-changer for managing sensitive data securely in Drupal. By following these best practices - automated checks, and role-based access control - you’ll keep your data safe while streamlining your deployment process.

So, go ahead and give it a try! Set up a test key, check out how easy it is to keep everything secure!