Add recommendations for best practices to documentation

[rlhawk]

The Encrypt module's documentation should include very thorough and specific recommendations for:

• Encryption method - A high-quality, modern library, such as Defuse PHP Encryption
• Key size - At least 128 bits
• Key quality - A string of random bytes
• Key storage - Keep keys out of the database, out of the web root, on a different server, if possible

We can provide links to articles or documentation to support our positions.

[svendecabooter]

I'm trying to set up a separate module that uses the Defuse PHP Encryption library for Encrypt.

I'm a bit confused as to which would be the recommended version of the library to use.
There's version 1.2.1, the latest release, but from what I understand this only uses 128 bit keys.
Then there's 2.0, but that's still under active development in master branch. Also probably not a good idea to use that one, if there is no stable release tagged, although real_aes in D7 does seem to do it that way. Is that the recommended approach?

[rlhawk]

Right, 2.0 is still being developed, so 1.2.1 is the one to recommend at this point. And yes, it uses 128-bit keys. Real AES was written before 2.x existed, so it does not specify a version. I will look into that and submit a patch to Real AES to make sure it's ready when 2.x is.

[svendecabooter]

From glancing at the code and used namespaces, I thought Real AES did use the 2.x version. Should be double-checked though. @nerdstein and me are looking into integrating the Defuse library for D8 Encrypt now - see https://www.drupal.org/sandbox/nerdstein/2669882

[rlhawk]

OK, so you're planning to have a new module that uses the Defuse library, instead of upgrading Real AES? There's an issue to do the latter; we should try to get that closed, if we'll be providing a D8 alternative. I would prefer not to have multiple modules that employ the library.

[svendecabooter]

Yes probably it would be better to keep things centralised, but I was just trying to get some working code in a (sandbox) repo, without having to go to the patch posting process.

We can try to get in touch with Heine and provide a patch to create the 8.x branch of real_aes.
It would just come down to changing the module name & namespaces, so that shouldn't be much work.

[svendecabooter]

Patch for real_aes created: https://www.drupal.org/node/2613682
This could use some review!

[svendecabooter]

moved this issue to drupal.org, to add extra documentation if desired: https://www.drupal.org/node/2678082