Normally if there is a password or secret token as part of the server admin settings, we store it in the config or config_plugins database tables. This means the following people can access the password:
- All Moodle site admins, or anyone else with moodle/site:config permission (go to the admin screen, click the button to show the password).
- Anyone with access to view the database contents, perhaps via a direct connection to the database without going through Moodle.
For a recent local change I was asked to store a password in a more secure manner. I built this as a new type of admin setting, which I'm proposing might be useful for core Moodle (this would be version 3.8 obviously). The new setting works as follows:
- Moodle won't display it in the UI.
- The password is encrypted in the database.
- The key pair used for encryption/decryption is stored in the filesystem - by default in moodledata, but you can configure a different location.
So that means that nobody can see it in the UI, and you need to be able to access both the database and the filesystem (instead of just the database, as before) in order to get and decrypt the value. In addition, the specific filesystem area can be configured for security, for example avoiding shared storage if required. (In our case, quite a few developers have access to the moodledata filesystem for troubleshooting, but much fewer people can access the secret area.)
To be clear this proposal doesn't apply to any old password in the admin settings (maybe it should apply to many of them, but it doesn't at present). It's a new admin setting, so plugin authors (and core developers) can use it for specific passwords where security is important. Obviously there is a tradeoff here - sometimes it is useful if Moodle lets you see what a password is.
Anyway if you think this sounds useful, please vote for MDL-65818 and/or comment here or in the tracker.
PS This isn't critical for us personally as I already made our version of this code which doesn't change core. But I think it would be nice functionality to have in core.