Support encrypting fields stored in unique columns.

Created on 13 November 2021, about 3 years ago
Updated 26 June 2023, over 1 year ago

Problem/Motivation

An error occurs when processing queue items that encrypt user name fields and the values don't get encrypted.
The error is:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '?-en' for key 'user__name': INSERT INTO "users_field_data" ("uid", "langcode", "preferred_langcode", "preferred_admin_langcode", "name", "pass", "mail", "timezone", "status", "created", "changed", "access", "login", "init", "default_langcode", "encrypted_field_storage__value", "encrypted_field_storage__encryption_profile") VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert_placeholder_4, :db_insert_placeholder_5, :db_insert_placeholder_6, :db_insert_placeholder_7, :db_insert_placeholder_8, :db_insert_placeholder_9, :db_insert_placeholder_10, :db_insert_placeholder_11, :db_insert_placeholder_12, :db_insert_placeholder_13, :db_insert_placeholder_14, :db_insert_placeholder_15, :db_insert_placeholder_16); Array ( [:db_insert_placeholder_0] => redacted [:db_insert_placeholder_1] => en [:db_insert_placeholder_2] => en [:db_insert_placeholder_3] => en [:db_insert_placeholder_4] => πŸ”’ [:db_insert_placeholder_5] => redacted [:db_insert_placeholder_6] => πŸ”’ [:db_insert_placeholder_7] => redacted [:db_insert_placeholder_8] => 1 [:db_insert_placeholder_9] => 1629851034 [:db_insert_placeholder_10] => 1630023293 [:db_insert_placeholder_11] => 1630023800 [:db_insert_placeholder_12] => 1630023247 [:db_insert_placeholder_13] => redacted [:db_insert_placeholder_14] => 1 [:db_insert_placeholder_15] => redacted [:db_insert_placeholder_16] => authenticated_aes_for_user_data_encryption )

Steps to reproduce

Encrypt the name field on User entity type.
Process queue

✨ Feature request
Status

Needs work

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States damondt

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡©πŸ‡ͺGermany TipiT Hamburg

    I would say that this is a high priority issue, because this module is the only one that supports encrypting field values in Drupal. Additionally there is no module that supports encrypting usernames.

    Because "Username" is considered PII (personal identifiable information) and should be always kept encrypted. There are a lot of companies using Drupal that are under GDPR, HIPAA or storing information as a part of a medical device. Does this means Drupal is not a option for them, because there is no solution to encrypt the "Username"?

  • πŸ‡ΊπŸ‡ΈUnited States damondt

    @TipiT It's possible to encrypt usernames, the default username field could be autofilled and hidden and optionally an encrypted psudo-username field added. This patch just gets it to work on the default username field. And I don't think GDPR applies here, my understanding is that only requires consent for data storage as opposed to encryption.

  • πŸ‡©πŸ‡ͺGermany TipiT Hamburg

    @damondt I would argue that's a hack, at least a workaround, not the same as encrypting the username field. Actually that is already what we do for security reasons, but like already said, it's not exactly the same thing, because login etc. gets more complicated.

    I think you are right about the GDPR, but as a good guidance, any PII should be stored encrypted.

  • πŸ‡²πŸ‡½Mexico jaimeah

    I am seeing an issue with this patch: while this does encrypt the username, it does not allow you to login back again: the unencrypted value becomes unavailable.

  • πŸ‡«πŸ‡·France Uroki

    Hello,

    I quickly modified the patch to work with the 3.2.X branch. The validation.constraint service is call staticaly in it.
    If a got the time i will make a proper Merge Request.

Production build 0.71.5 2024