Create plugin on afterDecrypt and log a trace

[peterjaap]

Log the locations where the value was found (stack trace / location)?

And then let it run for a week or so, and we should have a pretty comprehensive list of all encrypted values.

With toggle.

[convenient]

This is how i usually log a trace

            /**
             * Make the log entry single pipe separated line
             * Remove full path from trace for easier reading
             * BP defined at app/autoload.php
             */
            $traceString = str_replace(PHP_EOL, '|', (new \Exception)->getTraceAsString());
            $traceString = '|' . str_replace(BP . '/', '', $traceString);

After here https://github.com/magento/magento2/blob/29fe90973b957120d5a9a84e608be29cd271014a/lib/internal/Magento/Framework/Encryption/Encryptor.php#L419

[mpchadwick]

there is also Magento\Framework\Debug::backtrace

[convenient]

Thanks @mpchadwick all these years and this passed me by 😄

[convenient]

I think it would be cool if we had flags like

• Enable decrypt logging
• Only log legacy encrypted values

That way the process for securing your site can be

1. Deploy this module
2. php bin/magento gene:encryption-key-manager:generate
   1. This will then prevent JWT with old keys
3. Go through the process of bin/magento gene:encryption-key-manager:reencrypt-column admin_user user_id rp_token etc with every table
4. When you're happy you've got everything encrypted with the new key, you can enable the Only log legacy encrypted values flag. If you get a log hit, you know you've missed something and you have a target to address. If you don't get any log hits for however long you know you're happy to proceed to the next step which is
5. php bin/magento gene:encryption-key-manager:invalidate

I really think this moves the "logging" aspect up the priority, as it will allow us assuredness that we've targeted everything before we make the all too critical "invalidation" step.