Lockr works with Pantheon's Secure Integration to provide an additional layer of security to your site. Lockr is an easy-to-use plugin for WordPress or Drupal to manage your site’s API and encryption keys in a secure off-site hosted environment. Lockr removes the key from your site code and database and stores it in a secure and certified key manager. When your site needs the key for an encryption/decryption or API request, Lockr uses the Pantheon server’s certificate to authenticate on your behalf and release the key.
Site administrators have the ability to control how and where their sensitive keys are stored, thus improving the overall security of the site and allowing it to meet specific regulatory and compliance requirements for key management. Lockr also separately stores development and production specific keys to create an additional layer of security between environments.
Lockr provides a simple-to-use developer interface with a managed scalable cloud key management system. This allows applications of all sizes to meet industry standards for key management. Unlike other key managers, Lockr offers additional layers of security and system monitoring, no ongoing maintenance, and continuous development for integration with your favorite modules and plugins. Lockr's off-site API and encryption key management delivers best-practice security to help sites comply with HIPAA, FERPA, and FISMA. Using Lockr to develop in Dev, Test, and Multidev environments is free.
The Lockr Terminus plugin allows you to install all necessary components, register the site with Lockr, and patch all relevant plugins/modules running on your site with a single Terminus command. To enable the Terminus plugin, complete the following steps in your local environment:
Clone the Lockr Terminus plugin into the
~/terminus/pluginsdirectory on your local environment.
Log in with Terminus.
terminus auth:login --email=<email> --machine-token=<machine_token>
Run the following command:
terminus lockdown [<Lockr account email>] --password=[<Lockr account password>]
Select the site for the install. It will detect the CMS, download and install all necessary components, register the site, and patch all relevant plugins in your site.
With one command your site will be set up. After successfully installing and registering Lockr, you will see a confirmation on the Configuration page that the site is registered. You are now able to set keys through the Admin interface for registered sites. Alternatively, you can follow the steps below for the CMS your site uses to install and configure Lockr.
Lockr is automatically configured to secure API keys for numerous third-party plugins for seamless integration and securing of your keys. Visit the GitHub page for a list of plugins that can be automatically patched.
If you do need to upload module files directly to the server, be sure to use SFTP and not FTP.
terminus connection:set <site>.<env> sftp
terminus wp <site>.<env> -- plugin install lockr --activate
Click Lockr from within the WordPress Dashboard to visit the Lockr Configuration page (
Enter your email address, and click Register Site.
Create keys within Lockr > Add Keys and manage existing keys within Lockr > All Keys.
terminus wp <site>.<env> -- lockr lockdown
The Lockr plugin contains a number of WP-CLI commands to quickly register a site and get a key through the command line. With WP-CLI, you can run the command
wp plugin install lockr - activate to install and activate the Lockr plugin.
This command will register the site with Lockr to the email address provided. The password is only necessary for existing Lockr accounts. This is useful for automated deployment from a Custom Upstream using Quicksilver.
terminus wp <site>.<env> -- lockr register-site --email=[<Lockr email address>] --password=[<Lockr account password>]
Run this command and Lockr will go to the patch library and automatically patch your existing plugins that do not currently integrate natively with Lockr.
terminus wp <site>.<env> -- lockr lockdown
Run this command to get and decrypt a key from Lockr. This is a useful command to program in automated functionality in Quicksilver.
terminus wp <site>.<env> -- lockr get-key [key name]
This command encrypts a key and sends it to Lockr. This is useful during site migrations or automated deployments of new sites through Quicksilver.
terminus wp <site>.<env> -- lockr set-key --name=[key name] --label=[key label] --value=[key value]
Lockr for the latest version of Drupal depends on a connection library installed using Composer. If the Lockr module is not installed using Composer command
composer require 'drupal/lockr', the dependency must be installed manually with
composer require 'lockr/lockr:^1.0.0'.
This will download Lockr, all of its requirements, and update the
composer.json with these requirements.
You can enable the module by navigating to
/admin/modules, checking the box next to Key and Lockr, and clicking Install.
Lockr is also available for Drupal 7. Refer to the project's GitHub page for a list of modules that can be automatically patched.
terminus connection:set <site>.<env> sftp
Go to the modules page (
/admin/modules) and enable both modules.
Navigate to the Lockr configuration page (
Enter your email address and click Sign Up.
Use Drush to download and install Lockr in a few simple commands.
terminus drush <site>.<env> -- dl lockr terminus drush <site>.<env> -- en lockr terminus drush <site>.<env> -- lockr-register --email=[<Lockr account email >] --password=[<Lockr account password>]
This command registers the site with Lockr to the email address provided. The password is only necessary for email addresses already with a Lockr account. This is useful for automated deployment from a Custom Upstream using Quicksilver.
terminus drush <site>.<env> -- lockr-lockdown
Run this command and Lockr will go to a patch library and automatically patch your existing plugins that do not currently integrate natively with Lockr.
Non-CMS applications can easily integrate with Lockr after their credentials are set up through Lockr Support.
- API keys for connecting to external services such as: Payment gateways and web commerce solutions like PayPal, Stripe, WooCommerce, Authorize.net, etc.
- Email services providers: MailChimp, SendGrid, SMTP mail servers, etc.
- Various external services like Amazon Web Services
- A key used for encrypting data on your website
- LDAP and SSO authentication credentials
Lockr encrypts the keys before leaving the site or application with a process called key wrapping. Key wrapping takes one value, and encrypts (wraps) it using a second key. Lockr places the second key, usually termed the KEK (key encryption key) in the website in place of the original value. This prevents keys stored in Lockr from being viewed or compromised by adding another layer of security to the process. Lockr then sends an encrypted value over a secure, encrypted connection to Lockr servers. The value is stored inside an HSM (Hardware Security Module) provided by Townsend Security, which uses FIPS 140-2 compliant key management technology.
Yes! Lockr can be used to secure any API key, application secret, and other types of credentials. Once enabled in the CMS, keys entered are sent over an encrypted connection to the Lockr system. The credentials used to access Lockr are provided by the site host or application platform to prevent hijacking and tampering. This credentialed methodology enables the separation of development and production environments. Using key wrapping, keys are rendered useless from being used outside the website or application environment. Lockr is unable to see the values of your key.
Lockr manages keys on a “per environment" basis, which helps eliminate the potential of keys being shared from production to development environments. You no longer will have to worry about sending a test notification from development to production users, or have production data decrypted in development environments. Leveraging proven enterprise-grade key management technology from Townsend Security, Lockr’s off-site key management delivers best-practice security to protect against critical vulnerabilities within your CMS solution.
If you're encrypting sensitive information in your production environment, that data should not be decrypted anywhere but in production. With Lockr, data is encrypted in production with a production key that is not retrievable outside that environment. When a database is cloned to development, the keys that Drupal has access to cannot decrypt the data.