Is variable_set() robust enough to store secret keys in the database or is there a better way?

Accepted answer

In Backdrop, you should not be using variable_set() at all:

https://github.com/backdrop/backdrop/blob/1.x/core/includes/bootstrap.in...

If you're concerned about privacy/security/etc., then probably the best thing would be to create a settings.keys.php file, put the key in there as you would any variable in settings.php, include that file from within settings.php, and make sure that new file is secure, not included in version control, has appropriate permissions set, etc.

That, of course, cannot be (easily?) done from a module.

Otherwise, use $config->set() / config_set():

https://docs.backdropcms.org/api/backdrop/core%21includes%21config.inc/f...

https://docs.backdropcms.org/api/backdrop/core%21includes%21config.inc/f...

By default, configuration in Backdrop is exported as JSON and saved in files, not in the database.

https://docs.backdropcms.org/documentation/working-with-configuration

 

Comments

oadaeh's picture

In Backdrop, you should not be using variable_set() at all:

https://github.com/backdrop/backdrop/blob/1.x/core/includes/bootstrap.in...

If you're concerned about privacy/security/etc., then probably the best thing would be to create a settings.keys.php file, put the key in there as you would any variable in settings.php, include that file from within settings.php, and make sure that new file is secure, not included in version control, has appropriate permissions set, etc.

That, of course, cannot be (easily?) done from a module.

Otherwise, use $config->set() / config_set():

https://docs.backdropcms.org/api/backdrop/core%21includes%21config.inc/f...

https://docs.backdropcms.org/api/backdrop/core%21includes%21config.inc/f...

By default, configuration in Backdrop is exported as JSON and saved in files, not in the database.

https://docs.backdropcms.org/documentation/working-with-configuration

 

A good way to set it in settings.php is to use this format:

$settings['mysecret']

And then call settings_get('mysecret') in your module. That'll help keep it a bit more hidden.

Someone could port https://www.drupal.org/project/key to allow for even more secure method.