The team at Lockr recently launched a new version to our WordPress and Drupal integrations which continues to push the envelope of key management within the CMS world. This update is part of a large overhaul which started in the fall of ‘16 including both serverside and clientside updates.
The results? Lockr is now easier to use, easier to deploy, and more secure.
Below is a breakdown of the latest updates, features and enhancements as they apply to our customers and partners moving forward. Any Key, Anywhere!
AUTOMATED CERTIFICATE CREATION
From the outset, we built Lockr to work hand in hand with hosting providers to allow for seamless authentication. To do this, we leverage hosting provider’s internal security architecture, or their public key infrastructure (PKI). This is how your hosting provider knows your server, code, and database from the next account on the service. Lockr uses their PKI to provide identification for authentication. We have been working with the wonderful team at Pantheon since day-1 to ensure our authentication works with all sites on their platform. We have other partners we will be adding in the coming months, but in the meantime the process for a site to begin using Lockr was not as smooth as it could be. Now, that is a thing of the past.
With a new endpoint on the Lockr servers, anyone can now request an account and get back authentication from our internal PKI, regardless of your hosting provider. Lockr will now give you authentication, even if your hosting provider PKI is outside our partner program. With this, Lockr will place those credentials in a safe place on your server, but we recommend you work with your hosting provider and/or devops team to further secure the credential certificate. We’ve had numerous successful sign-ups with this new system and look forward to growing the key management community even faster now that there are no hosting provider hurdles to begin using Lockr.
EXTRA LAYERS OF SECURITY
Recently there was a breach of the Cloudflare service which exposed data as it passed through the service, even if it was over encrypted SSL/TLS connections. This highlights an important fact that we at Lockr speak about often, SSL/TLS only secures data in transit but encryption of the underlying data secures it at rest, in addition to while in transit. We at Lockr take this to heart which is why keys are encrypted prior to leaving your website, preventing anyone and even Lockr from knowing what is transmitted.
With this new release we take this one step further by adding a keyed-hash message authentication code (HMAC), a digital fingerprint of your data, to the encryption process. While crypto-nerds will know what this is and recognize the value it adds, we wanted to break down why it’s important. Encryption hides your data from everyone without the key. However in an incredibly sophisticated attack, an attacker could change values in the encrypted data so that when it decrypts the data is changed ever so slightly. The chances of this even working are so miniscule that it is not usually a concern. The chances of this resulting in loss of data or your encrypted data being leaked is beyond astronomical that it’s safe to say it is impossible, but it could cause the decryption of the data to fail, or the site functionality to be disrupted. Enter the HMAC, a digital fingerprint of the encrypted data. This HMAC fingerprint is not transmitted to Lockr and is stored within your website. After retrieving a key from Lockr, the first step is a check of the fingerprint to ensure the data you sent to Lockr is the data you retrieve from Lockr. Then the key is decrypted and ready to use safely. This is just an extra layer of protection on top of the many we provide to ensure that your keys are safe with Lockr.
Often our first response after getting a question in our slack channel was “What message are you seeing on the admin page” since we set different messages to show based on the stage of setup the user was in. After working through some ideas with customers we have come up with a intuitive, and easy to read admin dashboard. This will serve as a basis for more features to come, however at the moment it now shows the status of the site registration, whether the authentication certificate is present and valid, and whether the account has a credit card on file to move to production. We’ve color coded the responses too so that green means you’re good, yellow means take note and red indicates there’s another step to setup. This will provide more clarity into the steps and the status of your Lockr setup.
We met the wonderful team behind Give last year while attending the WordCamp Los Angeles. If you haven’t seen Give yet, check them out! They created a plugin making donations simple and secure. With the latest update to our WordPress plugin, Lockr now supports Give out of the box. With nothing to setup, anytime you save an admin form in Give, Lockr will now take any API keys which are to remain secret and stores them in Lockr. Then, when Give is using any of these services Lockr seamlessly provides the key back for use.
Since Give supports the wonderful efforts of many non-profits taking online donations, Lockr has decided to join in on the support. To celebrate our integration, we are offering the first 6 months of Lockr at no cost for any key from Give stored in our system
We know just how important online donations are for all non-profits and want to support and add our layer of security on top of the already rock solid security of the Give platform.
In short, this update to Lockr is one we have been working on for some time and are excited to release it to our customers. Here’s the recap:
- Provides a simple automated registration process
- Keeps keys even safer in transit and at rest
- Has a new admin dashboard to allow for a quick status check at any time
- Launches a new integration with the great team over at Give
For more information on Lockr, please visit https://lockr.io