REST Key Management (RKM)
Note: REST Key Management (RKM) is included with the Pro version of Encrypted Post Type, which you can purchase here.
You can save your encryption keys to a different WordPress installation on a different server for added security. The WordPress REST API is then used to manage the keys.
With your keys on a different server, and managed with the WordPress REST API, it adds a significant security improvement compared to storing the keys on the same server as the database to which they relate.
The encryption keys are automatically created and accessed as and when needed. You control access to the keys and can revoke access at any time (see below on how to revoke access).
How to set up
01 Purchase the Pro version of Encrypted Post Type.
When you purchase the Pro version you’ll have access to 2 plugins, Encrypted Post Type Pro and Encrypted Post Type Rest Key Management (RKM).
*Includes 1 year of premium support and updates.
02 Install Encrypted Post Type Pro on the WordPress site that you’ll be using to add your content.
03 Install Encrypted Post Type Rest Key Management (RKM) on the WordPress site where you want to store your encryption keys.
This plugin adds the functionality to save the keys to the site. We’ll call this site the ‘RKM site’.
04 On the RKM site (the site where you installed Encrypted Post Type Rest Key Management and where the encryption keys will be saved), create a new user and set this user as an editor.
The username can be anything you want.
05 Create an application password for the user.
Go to All Users in the left sidebar and click on the user. Then scroll down to the Application Passwords section. Type a name for your application password (it can be anything you want) and click the Add New Application Password button. Make a note of the password as it will be needed in step 6 below.
06 Connect the 2 sites together.
Go to the site where you installed Encrypted Post Type Pro (where you’ll be creating content) and add the following 3 lines to the wp-config.php file1:
define( 'RKM_URL', 'ADD URL HERE' );
define( 'RKM_USER', 'ADD USERNAME HERE' );
define( 'RKM_PASS', 'ADD APPLICATION PASSWORD' );
Replace ‘ADD URL HERE’ with the URL for the site where you installed Encrypted Post Type Rest Key Management (RKM).
Replace ‘ADD USERNAME HERE’ with the username for the user you created at step 4 above.
Replace ‘ADD APPLICATION PASSWORD’ with the application password you created at step 5 above.
07 Test the connection.
On the site where you installed Encrypted Post Type Pro (where you’ll be creating content) go to Settings > REST API in the left sidebar and click the Test Connection button. You should now see a message indicating the connection has been successful (if an error message is returned, see the troubleshooting section below).
08 Done! Encryption keys will now be saved to and accessed via the RKM site using the WordPress REST API.
Troubleshooting
When adding your REST API details you can run a test to check the connection has be made successfully by clicking the Test Connection button. If there is an issue with the connection an error message will display. These are the common errors:
cURL error 60: SSL certificate problem
There is an error with your SSL certificate. SSL means that the data sent between the 2 sites is secure, if there is a problem with the SSL certificate then it might mean that someone could potentially ‘see’ the data transmitted between the 2 sites.
How to solve
Contact your hosting provider and share the error code with them, they should be able to update your version of PHP to use the correct settings.
If you are debugging or testing then you can set this constant in wp-config.php to bypass SSL verification:
define( 'RKM_SSL', FALSE );
Important: Do not set this constant on a live site with important data because it sends data via http instead of https. Read more about http and https here.
FAQ
Can a RKM site host keys for multiple sites?
Yes. One RKM site can host keys for multiple sites running Encrypted Post Type Pro. Just bear in mind that you will need a license for each site where Encrypted Post Type Pro is installed.
How can I revoke access?
- Log in to the RKM site either as an administrator or as the user set up for the RKM connection.
- If logged in as an administrator go to Users and search for the user that’s set up for the RKM connection, OR if logged in as the user set up for the RKM connection, go to Profile.
- If logged in as an administrator, click on the user to visit their profile.
- Scroll to the Application Passwords section and click Revoke.
- The application password has now been revoked and the site with your EPT content won’t be able to access encryption keys via RKM.
- To grant access to the RKM site again you’ll need to create a new application password and update the wp-config.php file on the site where your content is.
Are the encryption keys encrypted before being sent to the RKM site?
Yes, the keys are encrypted before being sent via the REST API and saved on the RKM site.
Footnotes
1 The knowledge base article on naming the post type provides details on how to edit the wp-config.php file.