Introducing BestWorlds’ New Encryption Key Rotation Module for Magento 2

We’re excited to introduce BestWorlds’ Encryption Key Rotation Module for Magento 2. This module helps you securely rotate encryption keys in response to the Cosmic Sting vulnerability disclosed on September 26, 2024. This vulnerability exposed JWT Admin Tokens, which could reveal your current encryption keys.

Why You Need to Rotate Your Encryption Keys

Magento has recommended key rotation to mitigate this vulnerability. You can generate new keys through the Magento admin interface, but replacing old keys is crucial because the vulnerability exposed them. Magento’s patch helps prevent the use of old keys, especially for JWT Tokens, but rotating keys in the admin interface didn’t fully resolve the issue for encrypted third-party data.

After researching other solutions (like the SanSec module), we found them too complex and potentially problematic, so we created a simpler, more reliable option.

Our Solution: The Encryption Key Rotation Module

Our Encryption Key Rotation Module simplifies the process. With a single command, you can replace your old encryption key with a new one, ensuring everything on your site continues working seamlessly.

Key Features of the Module

Here’s how the module works:

  1. Generate a New Encryption Key: The module creates a new key and adds it to your configuration. You can provide your own key or let Magento generate one automatically (which we recommend).
  2. Re-encrypt Two-Factor Authentication (TFA) Values: It updates your TFA encrypted values to keep them secure.
  3. Re-encrypt All Database Values: The module re-encrypts all database values, including encrypted data from third-party modules.
  4. Update Image Cache Directory Names: It changes image cache directory names to match the new encryption key. Unlike Magento’s default key rotation process, which requires regenerating all cached images, this module makes it easier.

Managing Cache Images: Choose Your Approach

In the admin panel (Stores -> Configuration -> BestWorlds -> Encryption Key), you can choose how to handle cache images:

  • Symlink Approach (Recommended): This option creates symlinks that point from the old cache directories to the new ones. It’s safer and allows you to verify that product images load correctly before replacing the old directories.
  • Rename Approach: This replaces the old cache directory names with the new ones. While simpler, it carries more risk, especially on large projects. We recommend the Symlink Approach to avoid issues.

Extensible for Developers

The module is designed to be flexible, so developers can easily add or remove process steps if necessary. It’s built to be customizable for different project needs.

Developer Guide

This module is intended for experienced Magento developers, as it requires an understanding of the platform and its encryption key features. Here are the steps to follow:

  1. Test in Development First: Always try this module on a development environment before applying it to a live store
  2. Backup Your Data: Make a full backup of your database and the env.php file in your app/etc/ folder. The old encryption key will be saved under the “invalidated_keys” configuration, but it’s good to have a backup just in case.
  3. Choose Your Cache Management Strategy: The default setting is Symlink, but if you choose the Rename option, we recommend backing up your image cache directories first.
    Run the Key Rotation Command: In the terminal, execute the following command:
    bin/magento encryption:key:rotate
  4. If you don’t specify a key, Magento will generate one automatically
  5. Monitor Progress: The command will show you the steps being executed. After the database re-encryption is complete, a CSV report with the details will be saved at var/encryption-key/report/{CURRENT_DATE}.csv
  6. Clear Your Cache: Don’t forget to clear all caches in your Magento project after rotating the keys
  7. Verify Cache Images: Check that product images load correctly from the new cache directories (using the symlinks). Once confirmed, you can replace the symlinks with the actual directories. You can do this via:
    • Magento Admin: Go to Stores -> Configuration -> BestWorlds -> Encryption Key -> Cache Directories -> Convert symlinks into directories.
    • Magento CLI: Run the following command: bin/magento encryption:key:replace-cache-images-symlinks

Conclusion

The Encryption Key Rotation Module simplifies the key rotation process, helps you stay secure, and avoids complications. Whether you’re handling third-party module data, re-encrypting TFA values, or updating image cache directories, this module provides a smooth, reliable solution.

For more details, check out the module on GitHub.