>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3559052. --> Reported by: [mxr576](https://www.drupal.org/user/315522) >>> <h2 id="problem-motivation">Problem/Motivation</h2> <p>The AI recipes and contrib AI provider and VDB provider modules currently prioritize ease of use similar to other Recipes, which creates significant security concerns for credential storage. By default, these modules depend on the Key module but use the Configuration key provider, which is not considered secure or production-ready.</p> <p>This default configuration means:</p> <ul> <li>Credentials are stored in the database by default</li> <li>Credentials can be exported to code via configuration management</li> <li>Credentials can be accidentally committed to version control systems</li> <li>Existing credentials on a site can be accidentally overridden when configurations are imported from code or when databases are synchronized between environments</li> </ul> <p>While this approach reduces friction for initial setup and experimentation, it presents considerable security risks. The current balance between ease of use and secure configuration is problematic for production deployments.</p> <p>The AI ecosystem should provide better support and guidance for both developers who build recipes and AI/VDB provider modules and consumers of those to store their credentials securely.</p> <h2 id="steps">Steps to Reproduce</h2> <ol> <li>Apply the drupalcms/ai recipe 2.0.0-alpha2 via Drush or on the UI and set your OpenAI keys or a dummy value</li> <li>Export site configuration using <code>drush config:export</code></li> <li>Observe that API credentials are exported to configuration YAML files in plain text</li> <li>Alternatively, examine the database to see credentials stored in the config table</li> </ol> <h2 id="proposed-resolution">Proposed Resolution</h2> <p><em>Original conversation starter ideas have been moved to <span class="drupalorg-gitlab-issue-link project-issue-status-info project-issue-status-1"><a href="https://www.drupal.org/project/ai_initiative/issues/3559052" title="Status: Active">#3559052: [META] Improve security of AI and VDB provider credential storage</a></span></em>.</p> <p>At the moment the most promising solution idea is what @phenaproxima, @mxt576 and others are working on <a href="https://www.drupal.org/sandbox/phenaproxima/3562833">Easy Encryption</a> sandbox project. Check the module's <a href="https://git.drupalcode.org/sandbox/phenaproxima-3562833/-/blob/2a2996a96dd52083f8a0e1fddfd44ea5c5b929f1/README.md">README.md</a> (permalink!) if you would like learn more about the idea. The concept is also under security review by the security team part of <span class="drupalorg-gitlab-issue-link project-issue-status-info project-issue-status-7"><a href="https://www.drupal.org/project/drupal_cms/issues/3560518" title="Status: Closed (fixed)">#3560518: Insecure credential storage used by drupal_cms_ai recipe as default</a></span>.</p> <h2 id="remaining-tasks">Remaining Tasks</h2> <ul> <li>Discuss alternative ideas for improving credential storage security</li> <li>Evaluate trade-offs between ease of use and security for different deployment scenarios (development, staging, production)</li> <li>Decide action steps for improving credential storage security</li> <li>Determine if changes should be contributed to Key module or implemented in AI module</li> <li>Create child issues for approved improvements</li> <li>Update documentation to reflect security best practices</li> </ul> <h2 id="user-interface-changes">User Interface Changes</h2> <h2 id="api-changes">API Changes</h2> <h2 id="data-model-changes">Data Model Changes</h2> <h2 id="release-notes-snippet">Release Notes Snippet</h2>