Awesome Support Documentation

Private Credentials Concepts

Introduction

In an era where nothing is ever truly secure it is a very bad idea to be asking your customers to provide user ids and passwords over email.  And, when provided it is just as bad an idea to be saving them in the database without some sort of encryption.

The Private Credentials Add-on allows your customers to enter access credentials to one or more systems and allow them to be stored with an encryption key directly inside the Awesome Support database.  While no encryption scheme can be considered completely secure, any encryption is always better than none.

It is important to understand that the use of the Private Credentials add-on does not mean you can relax your normal security processes and procedures. This is simply an additional defense that works in conjunction with your already robust defenses (they are robust, right?)

Here is an image of what your customers will see when they choose to enter confidential information into a ticket.

Later sections of the documentation will walk you through how this screen is used.

How The Data Is Encrypted

All data entered into the form shown in the image above is encrypted with a key that is unique to the ticket.  The key and the data are both stored with the ticket.  This is done without any additional work on the administrators party.  But the data can be made more secure with one more step

In order for the data to be better secured, you will need to enable an option in your wp-config.php file.  Simply edit that file and add the following line to it:

define(‘WPAS_PC_ENCRYPTION_KEY_MASTER’,    ‘master encryption key here’);

You should use a very long master key and make sure you don’t forget it.

When this option is enabled, the  individual ticket keys are further encrypted by this master key.  In this way an intruder needs to pull both the data from the database AND the data from the separately located wp-config.php file in order to decrypt the private credential contents.

Additional Security Precautions

When a ticket is close, all private credentials are automatically removed.  This means that you will not be maintaining a treasure-trove of private customer information.  This will make your system less of a target to would-be hackers/intruders.