Press ESC to close

Magento 2 Security Update: Key Rotation and Data Re-encryption

In the ever-evolving world of eCommerce, security is paramount. Ensuring your Magento 2 installation is up-to-date with the latest security patches and encryption standards is crucial for protecting sensitive data. In this guide, we’ll walk through the process of rotating encryption keys and re-encrypting sensitive data in Magento 2. This real-world scenario covers the installation of the genecommerce/module-encryption-key-manager module, which is essential for managing encryption keys in Magento 2.

Step 1: Installing the Encryption Key Manager Module

Before we begin the key rotation and re-encryption process, you’ll need to install the genecommerce/module-encryption-key-manager module. This module provides a comprehensive toolset for generating and managing encryption keys in Magento 2.

Installation Steps:

  • Require the Module via Composer: Open your terminal and navigate to your Magento 2 root directory, then run the following command:
composer require genecommerce/module-encryption-key-manager
  • Enable the Module: After installing the module, enable it:
bin/magento module:enable Gene_EncryptionKeyManager
  • Run Magento Setup Upgrade: To apply the changes, run the setup upgrade command:
bin/magento setup:upgrade
  • Compile and Deploy Static Content: If you are running in production mode, recompile and deploy static content:
bin/magento setup:di:compile
bin/magento setup:static-content:deploy
  • Flush the Cache: Finally, flush the Magento cache to ensure the changes take effect:
bin/magento cache:flush

With the genecommerce/module-encryption-key-manager module installed and ready to use, we can now proceed with exporting the database and re-encrypting sensitive data.

Step 2: Exporting the Database

The first step is to export the database in a human-readable format. This ensures that all values are on the same line as the INSERT INTO statements, which is essential for the subsequent steps.

Command:

Using n98-magerun:
n98-magerun db:dump --human-readable

Or, using mysqldump:

mysqldump --extended-insert=FALSE -u [username] -p[password] [database] > db.sql

Step 3: Identifying Tables Requiring Key Rotation

Next, identify which tables contain data that requires key rotation. This involves searching for specific patterns in the SQL dump file.

Command:

gzcat demo.sql.gz | grep -E "VALUES\s*\(.*\d:\d:...*'" | awk '{print $3}' | uniq

Result:

admin_user
core_config_data
customer_entity
oauth_consumer
oauth_token
tfa_user_config

These are the tables that contain sensitive data requiring re-encryption.

Step 4: Applying the Security Patch

With the tables identified, apply the necessary security patch to the Magento 2 installation. In this case, we applied the VULN-27015-2.4.5x.composer.patch.

We placed the patch in the m2-hotfixes folder and modified it to ensure it applied correctly to our environment.

Step 5: Disabling Cron and Enabling Maintenance Mode

Before proceeding with the key rotation, disable the cron jobs and enable maintenance mode to prevent any conflicts or data inconsistencies during the process.

Commands:

./vendor/bin/ece-tools cron:disable
bin/magento maintenance:enable

Step 6: Generating a New Encryption Key

Generate a new encryption key, which will be used to re-encrypt all sensitive data across the identified tables.

Command:

bin/magento gene:encryption-key-manager:generate --force

Result: The system will generate a new key and re-encrypt the necessary data. The cache is cleaned automatically after the process.

Step 7-12: Re-encrypting Sensitive Data

Re-encrypt the sensitive data in each of the identified tables.

Commands:

Core Configuration Data:

bin/magento gene:encryption-key-manager:reencrypt-unhandled-core-config-data --force

TFA User Config:

bin/magento gene:encryption-key-manager:reencrypt-tfa-data --force

Customer Entity (RP Token):

bin/magento gene:encryption-key-manager:reencrypt-column customer_entity entity_id --force

OAuth Consumer (Secret):

bin/magento gene:encryption-key-manager:reencrypt-column oauth_consumer entity_id secret --force

OAuth Token (Secret):

bin/magento gene:encryption-key-manager:reencrypt-column catalog_product_entity_text value_id value

After each command, the system verifies that all old entries are re-encrypted with the new key.

Step 13: Verifying the Encryption

Enable logging for any decryption that still uses the old key to ensure that all data has been migrated to the new encryption key.

Commands:

php bin/magento config:set --lock-env dev/debug/gene_encryption_manager_only_log_old_decrypts 1
php bin/magento config:set --lock-env dev/debug/gene_encryption_manager_enable_decrypt_logging 1

Monitor your logs for entries related to the “gene encryption manager.” If no old key usages are logged, the re-encryption process is successful.

Note: If you encounter issues with configuration file changes, a re-deployment via the Cloud Console may be necessary.

Step 14: Re-enable Cron and Disable Maintenance Mode

Once verification is complete, flush the cache, re-enable cron jobs, and disable maintenance mode.

Commands:

bin/magento cache:flush
./vendor/bin/ece-tools cron:enable
bin/magento maintenance:disable

Conclusion

Following these steps ensures that all sensitive data in your Magento 2 installation is protected by the latest encryption standards. Regularly applying security patches and rotating encryption keys is a best practice that helps safeguard your eCommerce site against potential vulnerabilities.

If you have any questions or need further assistance with your Magento 2 installation, feel free to reach out in the comments!

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

Leave a Reply

Your email address will not be published. Required fields are marked *