Recommend Pantheon Secrets instead of Lockr (#9247)

* Update integrations doc: swap Lockr with Pantheon Secrets * Update 09-wp-security.md Swapped Lockr for Pantheon Secrets * Update 04-private-paths.md Updated: https://docs.pantheon.io/guides/secure-development/private-paths#private-path-for-files * Update 11-wordpress-secrets-management.md Removed Lockr references for: https://docs.pantheon.io/guides/wordpress-developer/wordpress-secrets-management#via-lockr * Remove dupe links * Add secrets manager to quicksilver guide, remove lockr crosslink * Swap lockr for pantheon secrets across a few more guides * Swap lockr for pantheon secrets across landing pages, deprecate lockr doc * Update and simplify wp secrets copy * Add alert to signal stronger * Update source/content/guides/wordpress-developer/11-wordpress-secrets-management.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/quicksilver/02-install-script.md Co-authored-by: Chris Reynolds <[email protected]> * Align syntax --------- Co-authored-by: Rachel Whitton <[email protected]> Co-authored-by: Chris Reynolds <[email protected]>
pantheon-systems · Oct 9, 2024 · 31f2728 · 31f2728
1 parent 29fdb89
commit 31f2728
Show file tree

Hide file tree

Showing 13 changed files with 54 additions and 77 deletions.
diff --git a/source/content/guides/quicksilver/02-install-script.md b/source/content/guides/quicksilver/02-install-script.md
@@ -99,18 +99,16 @@ Use the [Pantheon Search and Replace URLs on WordPress Sites repository](https:/
 
 ### Secrets
 
-Your script may require tokens, passwords, or other information that should be protected. These values should be stored securely. You can do this with a third-party key management service like [Lockr](/guides/lockr).
+Your script may require tokens, passwords, or other information that should be protected. These values can be managed securely using the [Pantheon Secrets](/guides/secrets) platform service. First set the key via Terminus, then use the `pantheon_get_secret()` function in your script, for example:
 
-You can also use your site's [private files path](/guides/secure-development/private-paths#private-path-for-files) to store values securely. Note that the Site Dashboard function to copy files from one environment to another will also overwrite the private files path when storing keys for Quicksilver scripts in the private files path.
-
-Install the [Terminus Secrets Plugin](https://github.com/pantheon-systems/terminus-secrets-plugin) to manage secret data in JSON files in your site's private files path.
-
-This allows you to write and remove key values. The code example below shows you how to write a value to a key:
-
-```bash{promptUser: user}
-terminus secrets:set site.env key value
+```php
+if ( function_exists( 'pantheon_get_secret' ) ) {
+  $secret_value = pantheon_get_secret( 'secret_name' );
+}
 ```
 
+Alternatively, you can use your site's [private files path](/guides/secure-development/private-paths#private-path-for-files) to store values.
+
 ### Slack Integration
 
 Use the [Pantheon Slack Integration repository](https://github.com/pantheon-systems/quicksilver-examples/tree/main/slack_notification) to integrate Slack notifications from your Pantheon project using Quicksilver. This integration overview also provides information on how to manage API keys outside of your site repository.
@@ -129,7 +127,6 @@ Use the [Pantheon WP Solr Index repository](https://github.com/pantheon-systems/
 
 ## More Resources
 
-- [Lockr](/guides/lockr)
 - [Private Paths for Files and Code](/guides/secure-development/private-paths)
 - [WordPress Configuration Management (WP-CFM)](/guides/wordpress-configurations/wp-cfm)
 - [Drush on Pantheon](/guides/drush)
diff --git a/source/content/guides/quicksilver/05-asana.md b/source/content/guides/quicksilver/05-asana.md
@@ -110,7 +110,7 @@ In the commands below, replace `<site>` with your site name, `<user>` with your
 
 <Alert title="Note" type="info">
 
-When it comes to keeping production keys secure, the best solution is to use a key management service like [Lockr](/guides/lockr) to automatically encrypt and secure keys on distributed platforms such as Pantheon.
+When it comes to keeping production keys secure, the best solution is to use a key management service like [Pantheon Secrets](/guides/secrets) to automatically encrypt and secure keys on distributed platforms such as Pantheon.
 
 </Alert>
 
@@ -192,5 +192,5 @@ If you use GitHub, you can further integrate with [Unito](https://unito.io/asana
 ## More Resources
 
 - [Pantheon YAML Configuration Files](/pantheon-yml)
-- [Lockr](/guides/lockr)
+- [Pantheon Secrets](/guides/secrets)
 - [Private Paths for Files and Code](/guides/secure-development/private-paths)
diff --git a/source/content/guides/quicksilver/06-jira.md b/source/content/guides/quicksilver/06-jira.md
@@ -107,7 +107,7 @@ Otherwise, continue to the next step.
 
 <Alert title="Note" type="info">
 
-When it comes to keeping production keys secure, the best solution is to use a key management service like [Lockr](/guides/lockr) to automatically encrypt and secure keys on distributed platforms such as Pantheon.
+When it comes to keeping production keys secure, the best solution is to use a key management service like [Pantheon Secrets](/guides/secrets) to automatically encrypt and secure keys on distributed platforms such as Pantheon.
 
 </Alert>
 
@@ -193,5 +193,5 @@ You can also connect your Jira and Pantheon-integrated site to an external repos
 ## More Resources
 
 - [Pantheon YAML Configuration Files](/pantheon-yml)
-- [Lockr](/guides/lockr)
+- [Pantheon Secrets](/guides/secrets)
 - [Private Paths for Files and Code](/guides/secure-development/private-paths)
diff --git a/source/content/guides/quicksilver/07-trello.md b/source/content/guides/quicksilver/07-trello.md
@@ -104,7 +104,7 @@ We use the filesystem private path in this section because we don't want to trac
 
 <Alert title="Note" type="info">
 
-When it comes to keeping production keys secure, the best solution is to use a key management service like [Lockr](/guides/lockr) to automatically encrypt and secure keys on distributed platforms such as Pantheon.
+When it comes to keeping production keys secure, the best solution is to use a key management service like [Pantheon Secrets](/guides/secrets) to automatically encrypt and secure keys on distributed platforms such as Pantheon.
 
 </Alert>
 
@@ -189,5 +189,5 @@ You can also connect your Trello and Pantheon-integrated site to an external rep
 
 - [Git on Pantheon](/guides/git)
 - [Pantheon YAML Configuration Files](/pantheon-yml)
-- [Lockr](/guides/lockr)
+- [Pantheon Secrets](/guides/secrets)
 - [Private Paths for Files and Code](/guides/secure-development/private-paths)
diff --git a/source/content/guides/secrets/04-php.md b/source/content/guides/secrets/04-php.md
@@ -29,7 +29,7 @@ The function `pantheon_get_secret()` may be used to fetch the value of a single
 
 ```php
 if ( function_exists('pantheon_get_secret') ) {
-  $secret_value = pantheon_get_secret("SECRET_NAME");
+  $secret_value = pantheon_get_secret('secret_name');
 }
 ```
 

diff --git a/source/content/guides/secure-development/04-private-paths.md b/source/content/guides/secure-development/04-private-paths.md
@@ -13,7 +13,7 @@ integration: [--]
 contributors: [whitneymeredith]
 showtoc: true
 permalink: docs/guides/secure-development/private-paths
-reviewed: "2022-07-21"
+reviewed: "2024-10-09"
 ---
 
 This section provides information on how to use private paths to keep your files and code secure.
@@ -68,11 +68,13 @@ Follow the steps below to store data that should be version controlled, such as
 
 ## Private Path for Files
 
-The best solution to keep production keys secure is to use a key management service like [Lockr](https://lockr.io/) to automatically encrypt and secure keys on distributed platforms such as Pantheon.
+<Alert title="Warning" type="danger">
 
-You can integrate this service using the [Lockr plugin](https://wordpress.org/plugins/lockr/) for WordPress and the [Lockr module](https://www.drupal.org/project/lockr) for Drupal. For more details, see this [related blog post](https://pantheon.io/blog/key-drupal-security).
+The best solution to keep production keys secure is to use a key management service like [Pantheon Secrets](/guides/secrets) to automatically encrypt and secure keys.
 
-Alternatively, you can store sensitive data in a JSON or ini-style text file within the following directories:
+</Alert>
+
+Alternatively, you can store unencrypted keys in a JSON or ini-style text file within the following directories:
 
 - WordPress: `wp-content/uploads/private`
 

diff --git a/source/content/guides/wordpress-developer/07-wordpress-s3.md b/source/content/guides/wordpress-developer/07-wordpress-s3.md
@@ -173,7 +173,7 @@ This plugin has known [multisite issues](https://github.com/humanmade/S3-Uploads
 
    </Alert>
 
-1. Add the credentials to `wp-config.php`, as described in the plugin's [README](https://github.com/humanmade/S3-Uploads#getting-set-up) file. For increased security, we recommend a service like [Lockr](/guides/lockr) or the [Terminus Secrets plugin](https://github.com/pantheon-systems/terminus-secrets-plugin) to store and retrieve these credentials securely. Refer to [Secret Management Techniques](/guides/wordpress-developer/wordpress-secrets-management#store-your-keys) for more secure methods to store your keys.
+1. Add the credentials to `wp-config.php`, as described in the plugin's [README](https://github.com/humanmade/S3-Uploads#getting-set-up) file. For increased security, we recommend using [Pantheon Secrets](/guides/secrets) to store and retrieve these credentials securely.
 
 1. Commit and push the new plugin and your `wp-config.php` file updates to the Dev environment, then switch to SFTP mode and activate the plugin:
 

diff --git a/source/content/guides/wordpress-developer/11-wordpress-secrets-management.md b/source/content/guides/wordpress-developer/11-wordpress-secrets-management.md
@@ -11,7 +11,7 @@ product: [--]
 integration: [aws]
 tags: [files]
 contributors: [carl-alberto]
-reviewed: "2023-05-19"
+reviewed: "2024-10-09"
 showtoc: true
 permalink: docs/guides/wordpress-developer/wordpress-secrets-management
 ---
@@ -32,43 +32,26 @@ Plugin and theme license keys are unique codes used to activate and authenticate
 
 ## Store Your Keys
 
-### Via wp-config.php
-
 Most plugin and theme author's documentation recommend storing license or API keys within the `wp-config.php` file. This is the most popular approach even though there are noted drawbacks, including:
 
 - Less secure than other methods
 
 - Lack of scalability, especially if you are using version control as this will store sensitive information in the codebase
 
-We recommend that you store your license keys in a secure non-version controlled file location like `~/files/private/wp-config.secrets.php`. This is more secure and allows you to have different values in each environment.
+### Use Pantheon Secrets
+Instead, we recommend using [Pantheon Secrets](/guides/secrets) to securely manage keys on the platform.
+
+Set the key via Terminus, then use the `pantheon_get_secret()` function in your script, for example:
 
 ```php
-if ( file_exists( dirname( __FILE__ ) . '/wp-content/uploads/private/wp-config-secrets.php' ) && isset( $_ENV['PANTHEON_ENVIRONMENT'] ) ) {
-  if (!defined('WP_SAMPLE_KEY')) {
-    define( 'WP_SAMPLE_KEY', 'EXAMPLEKEY1234' );
-  }
+if ( function_exists('pantheon_get_secret') ) {
+  $secret_value = pantheon_get_secret( 'secret_name' );
 }
 ```
+### Use the private files path
+Alternatively, you can use your site's [private files path](/guides/secure-development/private-paths#private-path-for-files) to store and retrieve values.
 
-### Via Terminus Secrets Plugin
-
-Pantheon's [Terminus Secrets plugin](https://github.com/pantheon-systems/terminus-secrets-plugin) writes entries into the  `~/files/private/secrets.json` file.
-
-<Alert title="Note"  type="info" >
-
-The Terminus Secrets plugin uses `~/files/private/secrets.json`, which is a different private directory than the private directory used to store your Quicksilver scripts.
-
-</Alert>
-
-This is a JSON file containing multiple keys that are not included in your project's source code. The Terminus Secrets script fetches this file, modifies it as requested, and then writes it back to the Pantheon site.
-
-You can add secret key pairs using this command for each:
-
-```bash{promptUser: user}
-terminus secrets:set examplesite.dev wp_sample_key EXAMPLEKEY1234
-```
-
-You can then parse those values via wp-config and assign them to the corresponding variables and environment using this sample code:
+Create a `secrets.json` file with your key value and name in json format and add it to the private files path at `/wp-content/uploads/private` on Pantheon. Then in your `wp-config.php` file you can retrieve the value, for example:
 
 ```php
 if ( file_exists( dirname( __FILE__ ) . '/wp-content/uploads/private/secrets.json' ) && isset( $_ENV['PANTHEON_ENVIRONMENT'] ) ) {
@@ -82,13 +65,8 @@ if ( file_exists( dirname( __FILE__ ) . '/wp-content/uploads/private/secrets.jso
 }
 ```
 
-### Via Lockr
-
-Lockr provides a simple-to-use developer interface with a scalable, cloud-based key management system. This allows applications of all sizes to meet industry standards for key management. Unlike other key managers, Lockr offers additional layers of security and system monitoring, no ongoing maintenance, and continuous development for integration with your favorite plugins. Refer to our documentation on how to use [Lockr on Pantheon to store your keys in WordPress](/guides/lockr#wordpress-installation) for more information.
-
 ## More Resources
 
 - [WordPress Configuration Management](/guides/wordpress-configurations/wp-cfm)
 - [WordPress wp-config Configuration](/guides/php/wp-config-php)
 - [Terminus Secrets Plugin](https://github.com/pantheon-systems/terminus-secrets-plugin)
-- [Store Your Secret Keys with Lockr](/guides/lockr)
diff --git a/source/content/guides/wordpress-pantheon/09-wp-security.md b/source/content/guides/wordpress-pantheon/09-wp-security.md
@@ -36,16 +36,14 @@ Pantheon provides additional security through the following features:
 
 - [Secure Runtime Access](/guides/secure-development/secure-runtime-access)
 
-- [Lockr](/guides/lockr)
+- [Pantheon Secrets](/guides/secrets)
 
 - [Secure Integration](/guides/secure-development/secure-integration)
 
 - [Two factor authentication](/guides/secure-development/two-factor-authentication)
 
 - [Secure Connections to Pantheon Services via TLS or SSH Tunnels](/guides/secure-development/ssh-tunnels)
 
-- [Secrets Management in WordPress](/guides/wordpress-developer/wordpress-secrets-management)
-
 ## Securing WordPress
 
 `wp-login.php` is the primary WordPress login path and is often subject to abuse by bots or other spammers. Refer to the [Avoid WordPress Login Attacks](/guides/wordpress-developer/wordpress-login-attacks) section of the [WordPress Developer's Guide](/guides/wordpress-developer) for information on steps you can take to help secure your site.
@@ -156,6 +154,4 @@ For detailed information on how to generate and use nonces, review the following
 ## More Resources
 
 - [Secure Development on Pantheon](/guides/secure-development)
-- [Secrets Management in WordPress](/guides/wordpress-developer/wordpress-secrets-management)
-- [Terminus Secrets plugin](https://github.com/pantheon-systems/terminus-secrets-plugin)
 - [Pantheon Security](/guides/security)
diff --git a/source/content/integrations.md b/source/content/integrations.md
@@ -110,9 +110,9 @@ These are examples, not necessarily best practice.  Please refer to the [Scope o
 
   </Product>
 
-  <Product title={"Lockr"} link={"/guides/lockr/"}>
+  <Product title={"Pantheon Secrets"} link={"/guides/secrets/"}>
 
-  [Lockr](https://lockr.io/) works with Pantheon's Secure Integration to provide an additional layer of security to your site.
+  Pantheon Secrets is key to maintaining industry best practices for secrets management, secure builds, and application implementation to provide an additional layer of security to your site.
 
   </Product>
 

diff --git a/source/content/lockr.md b/source/content/lockr.md
@@ -1,5 +1,5 @@
 ---
-title: Using Lockr to Secure and Manage API and Encryption Keys
+title: "Using Lockr to Secure and Manage API and Encryption Keys [Deprecated]"
 description: Detailed information on how to set up and use Lockr in your WordPress and Drupal site.
 tags: [plugins, security]
 contributors: [cteitzel]
@@ -14,6 +14,14 @@ product: [terminus]
 integration: [lockr, drush]
 ---
 
+<Alert title="Warning" type="danger">
+
+This page is considered deprecated.
+
+Instead, we recommend using [Pantheon Secrets](/guides/secrets) to securely manage keys on the platform.
+
+</Alert>
+
 [Lockr](https://lockr.io) works with [Pantheon's Secure Integration](/guides/secure-development/secure-integration) to provide an additional layer of security to your site. Lockr is an easy-to-use plugin for WordPress or Drupal to manage your site’s API and encryption keys in a secure off-site hosted environment. Lockr removes the key from your site code and database and stores it in a secure and certified key manager. When your site needs the key for an encryption/decryption or API request, Lockr uses the Pantheon server’s certificate to authenticate on your behalf and release the key.
 
 Site administrators have the ability to control how and where their sensitive keys are stored, thus improving the overall security of the site and allowing it to meet specific regulatory and compliance requirements for key management. Lockr also separately stores development and production specific keys to create an additional layer of security between environments.
@@ -47,7 +55,7 @@ With one command your site will be set up. After successfully installing and reg
 ## WordPress Installation
 
 Lockr is automatically configured to secure API keys for numerous third-party plugins for seamless integration and securing of your keys.
-Visit the [GitHub page](https://github.com/lockr/lockr-patches/tree/wp) for a list of plugins that can be automatically patched. 
+Visit the [GitHub page](https://github.com/lockr/lockr-patches/tree/wp) for a list of plugins that can be automatically patched.
 
 If you do need to upload module files directly to the server, be sure to use SFTP and not FTP.
 
@@ -196,4 +204,4 @@ You can email the Lockr Support Team at [email protected] or get real-time suppor
 ## More Resources
 
 - [Pantheon Security](/guides/security)
-- [Terminus Secrets Management Plugin](https://github.com/pantheon-systems/terminus-secrets-plugin)
+- [Terminus Secrets Management Plugin](https://github.com/pantheon-systems/terminus-secrets-plugin)
diff --git a/source/content/pivotal-tracker.md b/source/content/pivotal-tracker.md
@@ -61,7 +61,7 @@ As a best practice, start by creating a new machine user in Tracker. This user i
 
 <Alert title="Note" type="info">
 
-When it comes to keeping production keys secure, the best solution is to use a key management service like [Lockr](/guides/lockr) to automatically encrypt and secure keys on distributed platforms such as Pantheon.
+When it comes to keeping production keys secure, the best solution is to use a key management service like [Pantheon Secrets](/guides/secrets) to automatically encrypt and secure keys on distributed platforms such as Pantheon.
 
 </Alert>
 

diff --git a/source/data/landings.yaml b/source/data/landings.yaml
@@ -255,8 +255,8 @@
       subtitle: "Enable HTTPS and learn about various authentication methods."
       links:
         - tile: ""
-        - text: "Using Lockr to Secure and Manage API and Encryption Keys"
-          url: "/guides/lockr"
+        - text: "Pantheon Secrets"
+          url: "/guides/secrets"
           icon: "book"
         - text: "Enabling ClamAV for Drupal"
           url: "/clamav"
@@ -521,8 +521,8 @@
         - text: "Automatically Test and Deploy GitHub Changes to Pantheon from an Existing Jenkins Server"
           url: "/guides/local-development/jenkins"
           icons: "fa fa-book"
-        - text: "Using Lockr to Secure and Manage API and Encryption Keys"
-          url: "/guides/lockr"
+        - text: "Pantheon Secrets"
+          url: "/guides/secrets"
           icons: "fa fa-book"
         - text: "Pingdom Uptime Check"
           url: "/guides/pingdom-uptime-check"
@@ -865,8 +865,8 @@
           url: "/guides/local-development/lando-wordpress"
         - text: "Manage Some Dependencies with Composer"
           url: "/guides/partial-composer"
-        - text: "Using Lockr to Secure and Manage API and Encryption Keys"
-          url: "/guides/lockr"
+        - text: "Pantheon Secrets"
+          url: "/guides/secrets"
         - text: "Using SendGrid To Deliver Email"
           url: "/guides/sendgrid"
 - title: "Using WordPress with Pantheon"
@@ -1491,12 +1491,8 @@
     - title: "Secrets Management"
       subtitle: ""
       links:
-        - text: "Terminus Secrets Management Plugin"
-          url: "https://github.com/pantheon-systems/terminus-secrets-plugin"
-        - text: "Lockr Terminus Plugin"
-          url: "/lockr#install-lockr-via-the-lockr-terminus-plugin"
-        - text: "WordPress Secrets Management"
-          url: "/guides/wordpress-developer/wordpress-secrets-management"
+        - text: "Pantheon Secrets"
+          url: "/guides/secrets"
     - title: "WordPress Security"
       subtitle: ""
       links: