nr_vault
netresearch/nr-vault
main
en
Netresearch DTT GmbH
This document is published under the GPL-2.0-or-later license.
Sat, 28 Mar 2026 21:19:58 +0000
Secure secrets management for TYPO3 with envelope encryption, access control, and audit logging.
Your TYPO3 site integrates with Stripe, SendGrid, Google Maps, and a dozen other services. Where are those API keys right now?
Probably in one of these places:
LocalConfiguration.php (committed to git?)If your database leaks, your secrets leak. If an intern gets backend access, they can see your payment credentials. If you need to rotate a compromised key, you're editing config files and redeploying.
There has to be a better way.
Let's compare common approaches, from most to least secure:
| Method | Security | Operational Reality |
|---|---|---|
| External Services (HashiCorp Vault, AWS Secrets Manager) | ⭐⭐⭐⭐⭐ | Requires dedicated infrastructure, network connectivity, and authentication to the service itself. Enterprise-grade, enterprise-priced. |
| Environment Variables | ⭐⭐⭐ | Requires deployment pipeline or host access to set. Container restart needed to change values. No rotation UI, no audit trail, hard to manage. |
| Files outside webroot | ⭐⭐⭐ | Requires deployment or server access. Proper file permissions a must. No management interface, rotation means redeployment. |
| nr-vault (encrypted in database) | ⭐⭐⭐⭐ | Runtime manageable via TYPO3 backend. Rotate anytime. Full audit trail. No external infrastructure required. |
| Plain text in config/database | ⭐ | ❌ No protection. Secrets visible to anyone with database or file access. |
Notice something? All the "more secure" methods share the same operational pain:
And then there's plain text - which is what most TYPO3 extensions actually use.
nr-vault is the sweet spot between "no security" and "enterprise complexity":
| Challenge | Env Vars / Files | nr-vault |
|---|---|---|
| Rotate a compromised API key | Call DevOps, update config, redeploy, restart | Click in backend, done |
| See who accessed a secret | Check deploy logs (if they exist) | Full audit log with timestamps |
| Emergency credential revocation | Wait for deployment pipeline | Immediate via backend module |
| Non-technical editor needs to update SMTP password | Create support ticket | Self-service in backend |
| Compliance audit: prove access history | Manually correlate logs | Export tamper-evident audit trail |
The pitch: Enterprise-grade secret management without enterprise-grade complexity.
nr-vault is a TYPO3 extension providing:
The vault backend module provides an intuitive interface for managing secrets
Before installing nr-vault, ensure your system meets these requirements:
Install the extension using Composer:
composer require netresearch/nr-vaultAfter installation, activate the extension in the TYPO3 backend:
Or use the command line:
vendor/bin/typo3 extension:activate nr_vaultUpdate the database schema to create the required tables:
vendor/bin/typo3 database:updateschemaThis creates the following tables:
tx_nrvault_secret - Stores encrypted secrets with metadata.
tx_nrvault_audit_log - Stores audit log entries with hash chain.nr-vault requires a master encryption key to protect your secrets. There are three options, from simplest to most configurable:
This is the recommended default. nr-vault automatically derives a master key
from TYPO3's built-in encryption key (
$GLOBALS).
No configuration required - nr-vault works immediately after installation.
Benefits:
Note
If you later rotate TYPO3's encryption key, use the vault:rotate-master-key command first to re-encrypt all secrets with the new key.
For containerized deployments or when you need explicit control:
Generate a master key:
openssl rand -base64 32Set the environment variable:
export NR_VAULT_MASTER_KEY="your-generated-key"Configure the extension in Admin Tools > Settings > Extension Configuration:
envNR_VAULT_MASTER_KEYFor maximum security, store the key in a file outside the web root:
openssl rand -base64 32 > /secure/path/vault.key
chmod 0400 /secure/path/vault.keyConfigure the extension:
file/secure/path/vault.keyWarning
For file and environment providers: never commit master keys to version control. Store them securely outside the web root.
See Master key providers for detailed information on each provider.
Verify the installation by listing secrets (should return empty if newly installed):
vendor/bin/typo3 vault:listIf the command executes without errors, the extension is properly configured.
You can also test by storing and retrieving a test secret:
# Store a test secret
vendor/bin/typo3 vault:store test_secret --value="test-value"
# Retrieve it
vendor/bin/typo3 vault:retrieve test_secret
# Clean up
vendor/bin/typo3 vault:delete test_secret --forceConfigure nr-vault in Admin Tools > Settings > Extension Configuration.
Where secrets are stored.
Note
External vault adapters (HashiCorp Vault, AWS Secrets Manager) are planned for future releases. The adapter architecture is designed to support external backends, but currently only the local database adapter is implemented. See Custom storage adapters for information on implementing custom adapters.
How to retrieve the master encryption key.
Source location for the master key. Interpretation depends on the provider:
/secure/path/vault.key ).NR_VAULT_MASTER_KEY ).Allow CLI commands to access secrets without a backend user session.
Comma-separated list of backend user group UIDs that CLI can access. Empty means all secrets are accessible when CLI access is enabled.
Number of days to retain audit log entries. Set to 0 for unlimited retention.
Prefer XChaCha20-Poly1305 over AES-256-GCM. XChaCha20 is recommended when hardware AES acceleration is not available.
Enable request-scoped caching of decrypted secrets. When enabled, repeated retrievals of the same secret within a single request return the cached value instead of decrypting again.
Uses TYPO3's built-in encryption key to derive the master key. This is the recommended default because:
The master key is derived from the encryption key using HKDF-SHA256 with a nr-vault-specific context, ensuring it cannot be used to compromise other TYPO3 functionality.
// How it works internally
$masterKey = hash_hkdf(
'sha256',
$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'],
32,
'nr-vault-master-key'
);Note
If you rotate TYPO3's encryption key, all secrets will need to be re-encrypted. Use the key rotation command before changing the encryption key.
Store the master key in a file with restrictive permissions:
# Generate a new key
openssl rand -base64 32 > /secure/path/vault-master.key
chmod 0400 /secure/path/vault-master.keyConfigure in extension settings:
Warning
The key file must be:
Store the master key in an environment variable:
export NR_VAULT_MASTER_KEY="base64-encoded-key"Configure in extension settings:
This is ideal for containerized deployments where secrets are injected via environment variables.
Access to secrets is controlled by:
Organize secrets by context for easier management:
payment - Payment gateway credentials.email - Email service API keys.api - Third-party API tokens.database - External database credentials.Contexts are user-defined strings that help organize and filter secrets.
Use the
%vault syntax in site configuration files:
settings:
payment:
stripeSecretKey: '%vault(stripe_api_key)%'
email:
mailchimpKey: '%vault(mailchimp_key)%'Secrets are resolved when the site configuration is loaded. This keeps sensitive values out of version control while allowing configuration through the standard TYPO3 site settings.
By default, secrets cannot be resolved in frontend context (TypoScript). To allow a secret to be used in TypoScript:
frontend_accessible metadata.
%vault(identifier)% syntax in TypoScript.$this->vaultService->store(
'google_maps_key',
$apiKey,
[
'metadata' => [
'frontend_accessible' => true,
],
],
);Warning
Frontend-accessible secrets may be exposed in rendered HTML output. Only use this for secrets that are intended to be public (like client-side API keys).
Access the vault through the TYPO3 backend:
The vault overview displays key metrics and provides quick-start code examples
Fill in the form:
stripe_api_key).payment).Secrets are displayed with their metadata but not their values. Click Reveal to temporarily show a secret value.
Note
Revealing a secret creates an audit log entry.
The secrets list provides filtering, bulk actions, and quick access to secret operations
Reference secrets in your site configuration files using the
%vault syntax:
settings:
payment:
stripePublicKey: 'pk_live_...'
stripeSecretKey: '%vault(stripe_secret_key)%'
email:
mailchimpApiKey: '%vault(mailchimp_api_key)%'
sendgridToken: '%vault(sendgrid_token)%'Secrets are resolved at runtime when the site configuration is loaded. This keeps sensitive values out of your version control while still allowing you to configure them through the familiar site settings.
Important
Site configuration secrets are resolved on every request. Ensure your vault storage is performant (the default local adapter caches lookups).
Use vault references in TypoScript for frontend-accessible secrets:
lib.googleMapsKey = TEXT
lib.googleMapsKey.value = %vault(google_maps_api_key)%
page.headerData.10 = TEXT
page.headerData.10.value = <script>var API_KEY = '%vault(public_api_key)%';</script>Warning
Security considerations:
frontend_accessible can be resolved.cache.disable = 1 for
secrets that should not be cached.USER_INT for content containing secrets.Example with caching disabled:
lib.apiKey = TEXT
lib.apiKey {
value = %vault(my_api_key)%
stdWrap.cache.disable = 1
}Initialize the vault and generate a master key:
vendor/bin/typo3 vault:init
# Output as environment variable format
vendor/bin/typo3 vault:init --env
# Specify custom output location
vendor/bin/typo3 vault:init --output=/secure/path/vault.keyCreate or update a secret:
# Interactive (prompts for value)
vendor/bin/typo3 vault:store stripe_api_key
# With all options
vendor/bin/typo3 vault:store payment_key \
--value="sk_live_..." \
--description="Stripe production key" \
--context="payment" \
--expires="+90 days" \
--groups="1,2"Retrieve a secret value:
vendor/bin/typo3 vault:retrieve stripe_api_key
# Quiet mode for scripting
API_KEY=$(vendor/bin/typo3 vault:retrieve -q stripe_api_key)List all accessible secrets:
vendor/bin/typo3 vault:list
# Filter by pattern
vendor/bin/typo3 vault:list --pattern="payment_*"
# JSON output for automation
vendor/bin/typo3 vault:list --format=jsonRotate a secret with a new value:
vendor/bin/typo3 vault:rotate stripe_api_key \
--reason="Scheduled quarterly rotation"Delete a secret:
vendor/bin/typo3 vault:delete old_api_key \
--reason="Service deprecated" \
--forceView the audit log:
# View recent entries
vendor/bin/typo3 vault:audit --days=7
# Filter by secret
vendor/bin/typo3 vault:audit --identifier=stripe_api_key
# Export to JSON
vendor/bin/typo3 vault:audit --format=json > audit.json
The audit log tracks all secret operations with tamper-evident hash chains
Rotate the master encryption key (re-encrypts all DEKs):
# Using old key from file, new key from current config
vendor/bin/typo3 vault:rotate-master-key \
--old-key=/path/to/old.key \
--confirm
# Dry run to simulate
vendor/bin/typo3 vault:rotate-master-key \
--old-key=/path/to/old.key \
--dry-runScan for potential plaintext secrets in database:
vendor/bin/typo3 vault:scan
# Only critical issues
vendor/bin/typo3 vault:scan --severity=critical
# JSON for CI/CD
vendor/bin/typo3 vault:scan --format=jsonMigrate existing plaintext field values to vault:
# Preview
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --dry-run
# Execute
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_keyRemove orphaned secrets from deleted records:
vendor/bin/typo3 vault:cleanup-orphans --dry-run
vendor/bin/typo3 vault:cleanup-orphans --retention-days=30Inject the VaultService to access secrets programmatically:
use Netresearch\NrVault\Service\VaultServiceInterface;
final class PaymentService
{
public function __construct(
private readonly VaultServiceInterface $vaultService,
) {}
public function getApiKey(): ?string
{
return $this->vaultService->retrieve('stripe_api_key');
}
}$this->vaultService->store(
identifier: 'payment_api_key',
secret: 'sk_live_...',
options: [
'description' => 'Stripe production API key',
'context' => 'payment',
'groups' => [1, 2], // Backend user group UIDs
'expiresAt' => time() + (86400 * 90), // 90 days
],
);if ($this->vaultService->exists('stripe_api_key')) {
$value = $this->vaultService->retrieve('stripe_api_key');
}// Get all accessible secrets
$secrets = $this->vaultService->list();
// Filter by pattern
$paymentSecrets = $this->vaultService->list(pattern: 'payment_*');Make authenticated API calls without exposing secrets to your code.
The HTTP client is PSR-18 compatible. Configure authentication with
with, then use standard
send.
Inject
Vault directly:
use GuzzleHttp\Psr7\Request;
use Netresearch\NrVault\Http\SecretPlacement;
use Netresearch\NrVault\Http\VaultHttpClientInterface;
final class ExternalApiService
{
public function __construct(
private readonly VaultHttpClientInterface $httpClient,
) {}
public function fetchData(): array
{
// Configure authentication, then use PSR-18
$client = $this->httpClient->withAuthentication(
'api_token',
SecretPlacement::Bearer,
);
$request = new Request('GET', 'https://api.example.com/data');
$response = $client->sendRequest($request);
return json_decode($response->getBody()->getContents(), true);
}
}Or access via VaultService:
use GuzzleHttp\Psr7\Request;
use Netresearch\NrVault\Http\SecretPlacement;
$client = $this->vaultService->http()
->withAuthentication('stripe_api_key', SecretPlacement::Bearer);
$request = new Request(
'POST',
'https://api.stripe.com/v1/charges',
['Content-Type' => 'application/json'],
json_encode($payload),
);
$response = $client->sendRequest($request);use GuzzleHttp\Psr7\Request;
use Netresearch\NrVault\Http\SecretPlacement;
// Bearer token
$client = $vault->http()
->withAuthentication('api_token', SecretPlacement::Bearer);
$response = $client->sendRequest(new Request('GET', $url));
// API key header (X-API-Key)
$client = $vault->http()
->withAuthentication('api_key', SecretPlacement::ApiKey);
$response = $client->sendRequest(new Request('GET', $url));
// Custom header
$client = $vault->http()
->withAuthentication('api_key', SecretPlacement::Header, [
'headerName' => 'X-Custom-Auth',
]);
$response = $client->sendRequest(new Request('GET', $url));
// Basic authentication with separate secrets
$client = $vault->http()
->withAuthentication('service_password', SecretPlacement::BasicAuth, [
'usernameSecret' => 'service_user',
]);
$response = $client->sendRequest(new Request('GET', $url));
// Query parameter
$client = $vault->http()
->withAuthentication('api_key', SecretPlacement::QueryParam, [
'queryParam' => 'key',
]);
$response = $client->sendRequest(new Request('GET', $url));For a complete real-world example combining TCA vault fields with the HTTP client, see Example: API endpoint management.
A common pattern is storing API endpoints with their credentials in a database table. This example shows how to combine TCA vault fields with the HTTP client.
Table of contents
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
return [
'ctrl' => [
'title' => 'API Endpoints',
'label' => 'name',
],
'columns' => [
'name' => [
'label' => 'Name',
'config' => ['type' => 'input', 'required' => true],
],
'url' => [
'label' => 'API Base URL',
'config' => ['type' => 'input', 'required' => true],
],
'token' => [
'label' => 'API Token',
'config' => [
'type' => 'input',
'renderType' => 'vaultSecret',
],
],
],
];
Creating an API endpoint record (backend):
Fill in the form:
Stripehttps://api.stripe.com/v1The token field uses renderType: 'vaultSecret' which:
What gets stored in the database:
SELECT uid, name, url, token FROM tx_myext_apiendpoint;
-- | uid | name | url | token |
-- |-----|--------|---------------------------|--------------------------------------|
-- | 1 | Stripe | https://api.stripe.com/v1 | 01937b6e-4b6c-7abc-8def-0123456789ab |<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
declare(strict_types=1);
namespace MyVendor\MyExtension\Domain\Dto;
final readonly class ApiEndpoint
{
public function __construct(
public int $uid,
public string $name,
public string $url,
public string $token, // Contains vault UUID, not the secret
) {}
/**
* @param array<string, mixed> $row
*/
public static function fromDatabaseRow(array $row): self
{
return new self(
uid: (int) $row['uid'],
name: (string) $row['name'],
url: (string) $row['url'],
token: (string) $row['token'],
);
}
}
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
declare(strict_types=1);
namespace MyVendor\MyExtension\Service;
use MyVendor\MyExtension\Domain\Dto\ApiEndpoint;
use Netresearch\NrVault\Http\SecretPlacement;
use Netresearch\NrVault\Service\VaultServiceInterface;
use Psr\Http\Message\ResponseInterface;
use TYPO3\CMS\Core\Http\RequestFactory;
final class ApiClientService
{
public function __construct(
private readonly VaultServiceInterface $vault,
private readonly RequestFactory $requestFactory,
) {}
/**
* Call an API endpoint with vault-managed authentication.
*
* The token is retrieved from vault and injected at request time.
* It never appears in this code and is wiped from memory immediately.
*/
public function call(
ApiEndpoint $endpoint,
string $method,
string $path,
array $data = [],
): ResponseInterface {
// Create PSR-7 request using TYPO3's RequestFactory
$request = $this->requestFactory->createRequest(
$method,
rtrim($endpoint->url, '/') . '/' . ltrim($path, '/'),
);
if ($data !== [] && \in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
$request = $request
->withHeader('Content-Type', 'application/json')
->withBody(
\GuzzleHttp\Psr7\Utils::streamFor(json_encode($data))
);
}
// Send via VaultHttpClient - token never exposed to application
return $this->vault->http()
->withAuthentication($endpoint->token, SecretPlacement::Bearer)
->withReason('API call to ' . $endpoint->name . ': ' . $path)
->sendRequest($request);
}
/**
* Convenience method for GET requests.
*/
public function get(ApiEndpoint $endpoint, string $path): array
{
$response = $this->call($endpoint, 'GET', $path);
return json_decode(
$response->getBody()->getContents(),
true,
512,
JSON_THROW_ON_ERROR,
);
}
}
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
use MyVendor\MyExtension\Domain\Dto\ApiEndpoint;
use MyVendor\MyExtension\Service\ApiClientService;
// Load endpoint from database
$row = $connection->select(['*'], 'tx_myext_apiendpoint', ['uid' => 1])
->fetchAssociative();
$endpoint = ApiEndpoint::fromDatabaseRow($row);
// Make authenticated API call
$customers = $this->apiClientService->get($endpoint, '/customers');
token field contains a UUID v7 like 01937b6e-4b6c-...
VaultHttpClient::sendRequest() retrieves the actual token from vaultAuthorization: Bearer ... header
sodium_memzero() immediately wipes the token from memoryThis pattern provides several security advantages:
sodium_memzero() .Many TYPO3 extensions integrate with SaaS services (DeepL, Personio, Stepstone, Stripe, etc.) and store API keys in extension settings. This page shows how to secure these credentials with nr-vault.
Table of contents
Extension settings defined in ext_ are stored in
Local - not in TCA tables. This means:
renderType: 'vaultSecret' approach doesn't work directlyThere are three approaches to secure extension settings with vault:
Store a vault reference in extension settings, resolve at runtime.
Advantages:
vault: prefixExtension settings template:
# cat=api; type=string; label=DeepL API Key (Vault Reference): Enter vault:your-secret-id
deeplApiKey = vault:The admin enters a vault reference like vault:deepl_api_key (not the actual key).
The vault: prefix makes it clear this is a vault reference and enables
validation. See ADR-009: Extension configuration secrets for the design rationale.
Service implementation:
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
declare(strict_types=1);
namespace MyVendor\MyDeeplExtension\Service;
use Netresearch\NrVault\Configuration\VaultReference;
use Netresearch\NrVault\Http\SecretPlacement;
use Netresearch\NrVault\Service\VaultServiceInterface;
use TYPO3\CMS\Core\Configuration\ExtensionConfiguration;
use TYPO3\CMS\Core\Http\RequestFactory;
final class DeepLService
{
private const API_URL = 'https://api-free.deepl.com/v2';
private ?VaultReference $apiKeyRef = null;
public function __construct(
private readonly VaultServiceInterface $vault,
private readonly RequestFactory $requestFactory,
ExtensionConfiguration $extensionConfiguration,
) {
$config = $extensionConfiguration->get('my_deepl_extension');
$setting = (string) ($config['deeplApiKey'] ?? '');
// Parse vault reference (validates format, extracts identifier)
$this->apiKeyRef = VaultReference::tryParse($setting);
}
public function translate(string $text, string $targetLang): string
{
if ($this->apiKeyRef === null) {
throw new \RuntimeException(
'DeepL API key not configured. Enter vault:your-secret-id in extension settings.',
1735900000
);
}
$request = $this->requestFactory->createRequest('POST', self::API_URL . '/translate')
->withHeader('Content-Type', 'application/json')
->withBody(\GuzzleHttp\Psr7\Utils::streamFor(json_encode([
'text' => [$text],
'target_lang' => $targetLang,
])));
// Secret resolved at use time, not config load time
$response = $this->vault->http()
->withAuthentication($this->apiKeyRef->identifier, SecretPlacement::Bearer)
->withReason('DeepL translation request')
->sendRequest($request);
$data = json_decode($response->getBody()->getContents(), true);
return $data['translations'][0]['text'] ?? '';
}
}
Setup steps:
Store the actual DeepL API key in vault:
Via backend (recommended):
deepl_api_keyVia CLI (alternative):
./vendor/bin/typo3 vault:store deepl_api_key "your-deepl-api-key-here"Configure extension setting with vault reference:
Via backend:
vault:deepl_api_keyvault: prefix and resolves the secret at use time.Tip
No CLI or file access required. Admins can manage everything through the TYPO3 backend:
vault:identifierFor containerized deployments, reference environment variables.
Extension settings template:
# cat=api; type=string; label=DeepL API Key (env var): Environment variable name containing the API key
deeplApiKeyEnvVar = DEEPL_API_KEYService implementation:
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
declare(strict_types=1);
namespace MyVendor\MyDeeplExtension\Service;
use TYPO3\CMS\Core\Configuration\ExtensionConfiguration;
use TYPO3\CMS\Core\Http\RequestFactory;
final class DeepLService
{
private const API_URL = 'https://api-free.deepl.com/v2';
private string $apiKey;
public function __construct(
private readonly RequestFactory $requestFactory,
ExtensionConfiguration $extensionConfiguration,
) {
$config = $extensionConfiguration->get('my_deepl_extension');
$envVar = (string) ($config['deeplApiKeyEnvVar'] ?? 'DEEPL_API_KEY');
$this->apiKey = getenv($envVar) ?: '';
}
public function translate(string $text, string $targetLang): string
{
// Use TYPO3's RequestFactory directly with env-provided key
$response = $this->requestFactory->request(
self::API_URL . '/translate',
'POST',
[
'headers' => [
'Authorization' => 'DeepL-Auth-Key ' . $this->apiKey,
'Content-Type' => 'application/json',
],
'body' => json_encode([
'text' => [$text],
'target_lang' => $targetLang,
]),
]
);
$data = json_decode($response->getBody()->getContents(), true);
return $data['translations'][0]['text'] ?? '';
}
}
Warning
This approach stores the API key in memory for the request lifetime. No automatic memory cleanup. Consider Approach 1 for sensitive keys.
For maximum security and a proper backend UI, create a configuration record.
TCA definition:
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
return [
'ctrl' => [
'title' => 'DeepL Configuration',
'label' => 'name',
'rootLevel' => 1,
'security' => [
'ignorePageTypeRestriction' => true,
],
],
'columns' => [
'name' => [
'label' => 'Configuration Name',
'config' => [
'type' => 'input',
'default' => 'Default',
],
],
'api_key' => [
'label' => 'DeepL API Key',
'config' => [
'type' => 'input',
'renderType' => 'vaultSecret',
],
],
'api_url' => [
'label' => 'API URL',
'config' => [
'type' => 'input',
'default' => 'https://api-free.deepl.com/v2',
],
],
],
'types' => [
'0' => ['showitem' => 'name, api_key, api_url'],
],
];
Repository to load configuration:
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
declare(strict_types=1);
namespace MyVendor\MyDeeplExtension\Domain\Repository;
use MyVendor\MyDeeplExtension\Domain\Dto\DeepLConfig;
use TYPO3\CMS\Core\Database\ConnectionPool;
final class ConfigRepository
{
public function __construct(
private readonly ConnectionPool $connectionPool,
) {}
public function findDefault(): ?DeepLConfig
{
$row = $this->connectionPool
->getConnectionForTable('tx_mydeeplext_config')
->select(['*'], 'tx_mydeeplext_config', ['deleted' => 0])
->fetchAssociative();
return $row ? DeepLConfig::fromDatabaseRow($row) : null;
}
}
DTO:
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
declare(strict_types=1);
namespace MyVendor\MyDeeplExtension\Domain\Dto;
final readonly class DeepLConfig
{
public function __construct(
public int $uid,
public string $name,
public string $apiKey, // Vault UUID
public string $apiUrl,
) {}
public static function fromDatabaseRow(array $row): self
{
return new self(
uid: (int) $row['uid'],
name: (string) $row['name'],
apiKey: (string) $row['api_key'],
apiUrl: (string) $row['api_url'],
);
}
}
Service using config record:
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
declare(strict_types=1);
namespace MyVendor\MyDeeplExtension\Service;
use MyVendor\MyDeeplExtension\Domain\Repository\ConfigRepository;
use Netresearch\NrVault\Http\SecretPlacement;
use Netresearch\NrVault\Service\VaultServiceInterface;
use TYPO3\CMS\Core\Http\RequestFactory;
final class DeepLService
{
public function __construct(
private readonly VaultServiceInterface $vault,
private readonly RequestFactory $requestFactory,
private readonly ConfigRepository $configRepository,
) {}
public function translate(string $text, string $targetLang): string
{
$config = $this->configRepository->findDefault();
if ($config === null) {
throw new \RuntimeException('DeepL not configured', 1735900001);
}
$request = $this->requestFactory
->createRequest('POST', $config->apiUrl . '/translate')
->withHeader('Content-Type', 'application/json')
->withBody(\GuzzleHttp\Psr7\Utils::streamFor(json_encode([
'text' => [$text],
'target_lang' => $targetLang,
])));
$response = $this->vault->http()
->withAuthentication($config->apiKey, SecretPlacement::Bearer)
->withReason('DeepL translation: ' . $targetLang)
->sendRequest($request);
$data = json_decode($response->getBody()->getContents(), true);
return $data['translations'][0]['text'] ?? '';
}
}
Advantages of Approach 3:
| Aspect | Approach 1 (Vault ID) | Approach 2 (Env var) | Approach 3 (TCA record) |
|---|---|---|---|
| Setup complexity | Low | Low | Medium |
| Security | High | Medium | High |
| Memory safety | Yes (sodium_memzero) | No | Yes (sodium_memzero) |
| Audit trail | Yes | No | Yes |
| Backend UI | Text field | Text field | Vault secret field |
| Multi-config | Manual | Manual | Native |
Recommendation: Use Approach 1 for simple single-key integrations, Approach 3 for complex integrations requiring multiple configurations or strict access control.
nr-vault uses envelope encryption, an industry-standard pattern for protecting sensitive data.
+-------------------+
| Master Key |
+--------+----------+
|
| encrypts
|
+-----+------+--------+
| | |
v v v
+------+ +------+ +------+
| DEK1 | | DEK2 | | DEK3 |
+--+---+ +--+---+ +--+---+
| | |
| encrypts | encrypts | encrypts
v v v
+------+ +------+ +------+
|Value1| |Value2| |Value3|
+------+ +------+ +------+
Secret 1 Secret 2 Secret 3Both algorithms provide:
The master key is the root of trust for all secrets.
settings.php .
No additional configuration required.When using the file provider:
Warning
If the master key is compromised, all secrets must be considered compromised. Rotate the master key and all secrets immediately.
All secret operations are logged with:
Audit log entries form a hash chain where each entry includes a hash of the previous entry. This provides:
The audit hash chain is authenticated with HMAC-SHA256, using a key derived from the master key via HKDF (see ADR-023: Audit hash chain HMAC consideration). This provides adversarial tamper resistance in addition to tamper detection:
"nr-vault-audit-hmac-v1"), ensuring independence from
encryption key material.Use the vault:audit-migrate-hmac command to migrate existing legacy
entries to HMAC-SHA256. See vault:audit-migrate-hmac for details.
Secret access is controlled at multiple levels:
Note
CLI access requires explicit configuration and can be restricted to specific groups.
If you discover a security vulnerability, please report it responsibly:
DO NOT create a public GitHub issue.
Use GitHub's private security reporting feature: Report a vulnerability
See SECURITY. for the full security policy.
nr-vault follows clean architecture principles with these main components:
VaultService - Main facade for all vault operations.
EncryptionService - Envelope encryption implementation.
MasterKeyProvider - Master key retrieval abstraction.
SecretRepository - Database persistence.
VaultAdapterInterface - Storage backend abstraction.
AccessControlService - Permission checks.
AuditLogService - Operation logging.Note
nr-vault currently includes only the local database adapter. External vault adapters (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) are planned for future releases. The adapter architecture below allows you to implement your own custom adapters in the meantime.
Implement
Vault to add new storage backends:
namespace MyVendor\MyExtension\Adapter;
use Netresearch\NrVault\Adapter\VaultAdapterInterface;
use Netresearch\NrVault\Domain\Model\Secret;
final class CustomAdapter implements VaultAdapterInterface
{
public function getIdentifier(): string
{
return 'custom';
}
public function isAvailable(): bool
{
// Check if your backend is configured and reachable
}
public function store(Secret $secret): void
{
// Store secret in your backend
}
public function retrieve(string $identifier): ?Secret
{
// Retrieve secret from your backend
}
public function delete(string $identifier): void
{
// Delete from your backend
}
public function exists(string $identifier): bool
{
// Check if secret exists
}
public function list(?\Netresearch\NrVault\Domain\Dto\SecretFilters $filters = null): array
{
// List secret identifiers
}
public function getMetadata(string $identifier): ?array
{
// Get secret metadata
}
public function updateMetadata(string $identifier, array $metadata): void
{
// Update metadata
}
public function incrementReadCount(int $uid): void
{
// Increment read counter atomically
}
}Register in Services.:
MyVendor\MyExtension\Adapter\CustomAdapter:
tags:
- name: nr_vault.adapter
identifier: customNote
nr-vault includes three built-in master key providers: typo3 (derives from TYPO3's encryption key), file (reads from filesystem), and env (reads from environment variable). The example below shows how to implement a custom provider for enterprise key management systems like HashiCorp Vault Transit or AWS KMS.
Implement
Master for custom key sources:
namespace MyVendor\MyExtension\Crypto;
use Netresearch\NrVault\Crypto\MasterKeyProviderInterface;
final class VaultKeyProvider implements MasterKeyProviderInterface
{
public function getIdentifier(): string
{
return 'hashicorp';
}
public function isAvailable(): bool
{
// Check if HashiCorp Vault is accessible
}
public function getMasterKey(): string
{
// Retrieve key from HashiCorp Vault
}
public function storeMasterKey(string $key): void
{
// Store key in HashiCorp Vault
}
public function generateMasterKey(): string
{
return random_bytes(32);
}
}nr-vault dispatches PSR-14 events for extensibility:
Example listener:
namespace MyVendor\MyExtension\EventListener;
use Netresearch\NrVault\Event\SecretAccessedEvent;
final class SecretAccessLogger
{
public function __invoke(SecretAccessedEvent $event): void
{
// Custom logging or alerting
$identifier = $event->getIdentifier();
$actorUid = $event->getActorUid();
}
}Use DDEV for local development:
ddev start
ddev install-v14
ddev vault-init# Unit tests
Build/Scripts/runTests.sh -s unit
# Functional tests
Build/Scripts/runTests.sh -s functional# Code style (PHP-CS-Fixer)
Build/Scripts/runTests.sh -s cgl
# Static analysis (PHPStan)
Build/Scripts/runTests.sh -s phpstanSee CONTRIBUTING. for contribution guidelines.
Main facade for vault operations.
Rotate a secret with a new value.
This chapter documents the public API of the nr-vault extension.
The main service for interacting with the vault.
Main interface for vault operations.
Store a secret in the vault.
Unique identifier for the secret.
The secret value to store.
Optional configuration (owner, groups, context, expiresAt, metadata).
Retrieve a secret from the vault.
The secret identifier.
string|null
If user lacks read permission.
If the secret has expired.
The decrypted secret value or null if not found.
Check if a secret exists.
The secret identifier.
True if the secret exists.
Delete a secret from the vault.
The secret identifier.
Optional reason for deletion (logged).
If secret doesn't exist.
If user lacks delete permission.
Rotate a secret with a new value.
The secret identifier.
The new secret value.
Optional reason for rotation (logged).
List accessible secrets.
Optional pattern to filter identifiers.
Array of secret metadata.
use Netresearch\NrVault\Service\VaultServiceInterface;
class MyService
{
public function __construct(
private readonly VaultServiceInterface $vault,
) {}
public function storeApiKey(string $apiKey): void
{
$this->vault->store(
'my_extension_api_key',
$apiKey,
[
'description' => 'API key for external service',
'groups' => [1, 2], // Admin, Editor groups
'context' => 'payment',
'expiresAt' => time() + 86400 * 90, // 90 days
]
);
}
}public function getApiKey(): ?string
{
return $this->vault->retrieve('my_extension_api_key');
}The vault provides a PSR-18 compatible HTTP client that can inject secrets
into requests without exposing them to your code. Configure authentication
with
with, then use standard
send.
use GuzzleHttp\Psr7\Request;
use Netresearch\NrVault\Http\SecretPlacement;
use Netresearch\NrVault\Http\VaultHttpClientInterface;
final class ExternalApiService
{
public function __construct(
private readonly VaultHttpClientInterface $httpClient,
) {}
public function fetchData(): array
{
// Configure authentication, then use standard PSR-18
$client = $this->httpClient->withAuthentication(
'api_token',
SecretPlacement::Bearer,
);
$request = new Request('GET', 'https://api.example.com/data');
$response = $client->sendRequest($request);
return json_decode($response->getBody()->getContents(), true);
}
}use GuzzleHttp\Psr7\Request;
use Netresearch\NrVault\Http\SecretPlacement;
$client = $this->vaultService->http()
->withAuthentication('stripe_api_key', SecretPlacement::Bearer);
$request = new Request(
'POST',
'https://api.stripe.com/v1/charges',
['Content-Type' => 'application/json'],
json_encode($payload),
);
$response = $client->sendRequest($request);PSR-18 compatible HTTP client with vault-based authentication.
Extends
\Psr\.
Create a new client instance configured with authentication. Returns an immutable instance - the original is unchanged.
Vault identifier for the secret.
How to inject the secret.
Additional options (headerName, queryParam, usernameSecret, reason).
New client instance with authentication configured.
Create a new client instance configured with OAuth 2.0 authentication.
OAuth configuration.
Audit log reason.
New client instance with OAuth configured.
The
with method accepts these options:
SecretPlacement::Header , default: X-API-Key).
SecretPlacement::QueryParam , default: api_key).
SecretPlacement::BodyField , default: api_key).
SecretPlacement::BasicAuth ).Authentication placement using
Secret enum:
SecretPlacement::Bearer - Bearer token in Authorization header.
SecretPlacement::BasicAuth - HTTP Basic Authentication.
SecretPlacement::Header - Custom header value.
SecretPlacement::QueryParam - Query parameter.
SecretPlacement::BodyField - Field in request body.
SecretPlacement::OAuth2 - OAuth 2.0 with automatic token refresh.
SecretPlacement::ApiKey - X-API-Key header (shorthand).use GuzzleHttp\Psr7\Request;
use Netresearch\NrVault\Http\SecretPlacement;
// Bearer authentication
$client = $this->vault->http()
->withAuthentication('stripe_api_key', SecretPlacement::Bearer);
$response = $client->sendRequest(
new Request('POST', 'https://api.stripe.com/v1/charges', [], $body)
);
// Custom header
$client = $this->vault->http()
->withAuthentication('api_token', SecretPlacement::Header, [
'headerName' => 'X-API-Key',
]);
$response = $client->sendRequest(
new Request('GET', 'https://api.example.com/data')
);
// Basic authentication with separate credentials
$client = $this->vault->http()
->withAuthentication('service_password', SecretPlacement::BasicAuth, [
'usernameSecret' => 'service_username',
'reason' => 'Fetching secure data',
]);
$response = $client->sendRequest(
new Request('GET', 'https://api.example.com/secure')
);
// Query parameter
$client = $this->vault->http()
->withAuthentication('api_key', SecretPlacement::QueryParam, [
'queryParam' => 'key',
]);
$response = $client->sendRequest(
new Request('GET', 'https://maps.example.com/geocode')
);The vault dispatches events during secret operations.
Dispatched when a new secret is created.
getIdentifier() : The secret identifier.
getSecret() : The Secret entity.
getActorUid() : User ID who created it.Dispatched when a secret is read.
getIdentifier() : The secret identifier.
getActorUid() : User ID who accessed it.
getContext() : The secret's context.Dispatched when a secret is rotated.
getIdentifier() : The secret identifier.
getNewVersion() : The new version number.
getActorUid() : User ID who rotated it.
getReason() : The rotation reason.Dispatched when a secret is deleted.
getIdentifier() : The secret identifier.
getActorUid() : User ID who deleted it.
getReason() : The deletion reason.Dispatched when a secret value is updated (without rotation).
getIdentifier() : The secret identifier.
getNewVersion() : The new version number.
getActorUid() : User ID who updated it.Dispatched after master key rotation completes.
getSecretsReEncrypted() : Number of secrets re-encrypted.
getActorUid() : User ID who performed the rotation.
getRotatedAt() : DateTimeImmutable of when rotation completed.nr-vault provides several CLI commands for DevOps automation and management.
Initialize the vault by creating a master key.
vendor/bin/typo3 vault:init [options]var/vault/master.key ).# Initialize with default location
vendor/bin/typo3 vault:init
# Specify custom key file location
vendor/bin/typo3 vault:init --output=/secure/path/vault.key
# Output as environment variable
vendor/bin/typo3 vault:init --envWarning
The master key file should be stored outside the webroot with restricted permissions (0400 or 0600). Never commit it to version control.
Store a secret in the vault.
vendor/bin/typo3 vault:store <identifier> [options]+90 days).# Interactive (prompts for secret)
vendor/bin/typo3 vault:store stripe_api_key
# With options
vendor/bin/typo3 vault:store payment_key \
--value="sk_live_..." \
--description="Stripe production key" \
--context="payment" \
--expires="+90 days" \
--groups="1,2"Retrieve a secret from the vault.
vendor/bin/typo3 vault:retrieve <identifier> [options]# Display with metadata
vendor/bin/typo3 vault:retrieve stripe_api_key
# For use in scripts
API_KEY=$(vendor/bin/typo3 vault:retrieve -q stripe_api_key)List all accessible secrets.
vendor/bin/typo3 vault:list [options]* wildcard).# List all secrets
vendor/bin/typo3 vault:list
# Filter by pattern
vendor/bin/typo3 vault:list --pattern="payment_*"
# JSON output for automation
vendor/bin/typo3 vault:list --format=jsonRotate a secret with a new value.
vendor/bin/typo3 vault:rotate <identifier> [options]vendor/bin/typo3 vault:rotate stripe_api_key \
--reason="Scheduled quarterly rotation"Delete a secret from the vault.
vendor/bin/typo3 vault:delete <identifier> [options]vendor/bin/typo3 vault:delete old_api_key \
--reason="Service deprecated" \
--forceView the audit log.
vendor/bin/typo3 vault:audit [options]# View recent audit log
vendor/bin/typo3 vault:audit --days=7
# Filter by secret
vendor/bin/typo3 vault:audit --identifier=stripe_api_key
# Export to JSON
vendor/bin/typo3 vault:audit --format=json > audit.jsonRotate the master encryption key. Re-encrypts all DEKs with a new master key.
vendor/bin/typo3 vault:rotate-master-key [options]Warning
Master key rotation re-encrypts all Data Encryption Keys (DEKs). Ensure you have a backup of the old key before proceeding.
# Old key from file, new key from current config
vendor/bin/typo3 vault:rotate-master-key \
--old-key=/secure/path/old-master.key \
--confirm
# Both keys from files
vendor/bin/typo3 vault:rotate-master-key \
--old-key=/path/to/old.key \
--new-key=/path/to/new.key \
--confirm
# Dry run to verify before actual rotation
vendor/bin/typo3 vault:rotate-master-key \
--old-key=/path/to/old.key \
--dry-runScan for potential plaintext secrets in database and configuration.
vendor/bin/typo3 vault:scan [options]The command detects:
# Scan all sources
vendor/bin/typo3 vault:scan
# Output as JSON for CI/CD
vendor/bin/typo3 vault:scan --format=json
# Exclude cache tables
vendor/bin/typo3 vault:scan --exclude=cache_*,cf_*
# Only show critical issues
vendor/bin/typo3 vault:scan --severity=criticalMigrate existing plaintext database field values to vault storage.
vendor/bin/typo3 vault:migrate-field <table> <field> [options]tx_myext_settings).pid=1).Attention
Always backup your database before running migrations.
# Preview migration
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --dry-run
# Migrate with specific records
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --where="pid=1"
# Migrate and clear source field
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_key --clear-sourceClean up orphaned vault secrets from deleted TCA records.
When records with vault-backed fields are deleted, the corresponding vault secrets may become orphaned. This command identifies and removes such orphaned secrets.
vendor/bin/typo3 vault:cleanup-orphans [options]# Preview orphan cleanup
vendor/bin/typo3 vault:cleanup-orphans --dry-run
# Only clean up orphans older than 30 days
vendor/bin/typo3 vault:cleanup-orphans --retention-days=30
# Clean up orphans for specific table only
vendor/bin/typo3 vault:cleanup-orphans --table=tx_myext_settingsMigrate existing audit log entries from plain SHA-256 (epoch 0) to
HMAC-SHA256 (target epoch configured via auditHmacEpoch). This command
rehashes all audit log entries using an HMAC key derived from the master key,
upgrading the hash chain from tamper detection to adversarial tamper resistance.
See ADR-023: Audit hash chain HMAC consideration for the architectural decision behind this migration.
vendor/bin/typo3 vault:audit-migrate-hmac [options]# Preview migration
vendor/bin/typo3 vault:audit-migrate-hmac --dry-run
# Run the migration
vendor/bin/typo3 vault:audit-migrate-hmacAttention
This command requires a valid master key to derive the HMAC key. Always backup your database before running the migration. Once migrated, entries cannot be reverted to plain SHA-256 without restoring the backup.
nr-vault provides a custom TCA field type that allows any TYPO3 extension to store sensitive data (API keys, credentials, tokens) securely in the vault instead of plaintext in the database.
Table of contents
Add nr-vault as a dependency in your extension's composer.:
{
"require": {
"netresearch/nr-vault": "^0.4"
}
}Use the vaultSecret renderType in your TCA configuration:
<?php
return [
'ctrl' => [
'title' => 'My Extension Settings',
// ... other ctrl settings
],
'columns' => [
'api_key' => [
'label' => 'API Key',
'config' => [
'type' => 'input',
'renderType' => 'vaultSecret',
'size' => 30,
],
],
],
];Add the column to your extension's ext_:
CREATE TABLE tx_myext_settings (
api_key varchar(255) DEFAULT '' NOT NULL
);The column stores the vault identifier, not the actual secret.
Use the
Vault utility to retrieve actual secret values:
use Netresearch\NrVault\Utility\VaultFieldResolver;
class MyService
{
public function callExternalApi(array $settings): void
{
// Resolve vault identifiers to actual values
$resolved = VaultFieldResolver::resolveFields(
$settings,
['api_key', 'api_secret']
);
// Now $resolved['api_key'] contains the actual secret
$client->authenticate($resolved['api_key']);
}
}For cleaner TCA configuration, use the
Vault:
<?php
use Netresearch\NrVault\TCA\VaultFieldHelper;
return [
'columns' => [
'api_key' => VaultFieldHelper::getFieldConfig([
'label' => 'API Key',
'description' => 'Your API authentication key',
'size' => 30,
]),
// Secure field with common defaults (exclude: true, l10n_mode: exclude)
'api_secret' => VaultFieldHelper::getSecureFieldConfig(
'API Secret',
['required' => true]
),
],
];| Option | Type | Description |
|---|---|---|
label | string | Field label. |
description | string | Field description/help text. |
size | int | Input field size (default: 30). |
required | bool | Whether field is required (default: false). |
placeholder | string | Placeholder text. |
displayCond | string | TCA display condition. |
l10n_mode | string | Localization mode. |
exclude | bool | Exclude from non-admin access. |
Vault secrets also work in FlexForm fields:
<T3DataStructure>
<sheets>
<settings>
<ROOT>
<el>
<apiKey>
<label>API Key</label>
<config>
<type>input</type>
<renderType>vaultSecret</renderType>
<size>30</size>
</config>
</apiKey>
</el>
</ROOT>
</settings>
</sheets>
</T3DataStructure>Resolve FlexForm secrets using
Flex:
use Netresearch\NrVault\Utility\FlexFormVaultResolver;
use TYPO3\CMS\Core\Service\FlexFormService;
class MyPlugin
{
public function __construct(
private readonly FlexFormService $flexFormService,
) {}
public function processSettings(array $contentElement): array
{
$settings = $this->flexFormService->convertFlexFormContentToArray(
$contentElement['pi_flexform']
);
// Resolve specific fields
return FlexFormVaultResolver::resolveSettings(
$settings,
['apiKey', 'apiSecret']
);
// Or resolve all vault identifiers automatically
return FlexFormVaultResolver::resolveAll($settings);
}
}The
Vault class provides utilities for working with
vault-backed TCA fields.
Resolve specific fields in a data array:
$resolved = VaultFieldResolver::resolveFields(
$data, // Array with potential vault identifiers
['field1'], // Fields to resolve
false // Throw on error (default: false)
);Resolve a single vault identifier (UUID v7 format):
// TCA field identifiers use UUID v7 format
$secret = VaultFieldResolver::resolve('01937b6e-4b6c-7abc-8def-0123456789ab');Automatically resolve all vault fields in a record based on TCA:
$resolved = VaultFieldResolver::resolveRecord('tx_myext_settings', $record);Check if a value is a vault identifier:
if (VaultFieldResolver::isVaultIdentifier($value)) {
// This is a vault identifier
}Get list of vault field names for a table:
$fields = VaultFieldResolver::getVaultFieldsForTable('tx_myext_settings');
// Returns: ['api_key', 'api_secret']
VaultSecretElement renders an obfuscated
password field with reveal/copy buttons.Form submit: The
Data intercepts the form data:
VaultFieldResolver to
look up the actual secret from the vault using the UUID.TCA and FlexForm fields use UUID v7 identifiers:
01937b6e-4b6c-7abc-8def-0123456789ab
UUID v7 provides:
The source context (table, field, uid) is stored as metadata in the vault, not in the identifier itself.
Tip
See ADR-001: UUID v7 for secret identifiers for the full rationale behind this design decision.
Vault secrets inherit the access control of the record they belong to. If a backend user can edit the record, they can update the vault secret.
The reveal button requires explicit user action and is logged.
All vault operations are logged:
Review the audit log in the backend module under Admin Tools > Vault > Audit Log.
Only vault identifiers are stored in your extension's database tables. The actual secrets are encrypted with AES-256-GCM in the vault.
To migrate existing plaintext credentials to vault storage:
renderType to your existing TCA field configuration.Run the migration command:
vendor/bin/typo3 vault:migrate-field tx_myext_settings api_keyThis will:
Attention
Always backup your database before running migrations.
Note
Secure Outbound is a planned feature for nr-vault. This documentation describes the planned architecture and API. Implementation is in progress.
Secure Outbound extends nr-vault into a governed outbound integration platform for TYPO3. It provides centralized credential management, policy enforcement, and audit logging for all external API calls.
Table of contents
TYPO3 projects increasingly depend on external APIs (LLMs, shipping, payments, CRM, marketing, internal platforms). Today, most integrations are implemented per extension:
Secure Outbound addresses these issues with three core components:
serviceId.Services are centrally configured with:
Extensions never hardcode endpoints. They reference services by serviceId.
Credential Sets are typed wrappers over nr-vault secrets. They store encrypted JSON payloads containing all fields for a credential type:
Bearer Token:
{"token": "sk-abc123..."}OAuth2 Client Credentials:
{
"client_id": "my-client",
"client_secret": "secret123",
"token_url": "https://oauth.example.com/token",
"scopes": ["read", "write"]
}Supported credential types (MVP):
Extensions call external services using a simple PHP API:
interface SecureHttpClientInterface
{
public function request(
string $serviceId,
string $method,
string $path,
array $options = []
): SecureHttpResponse;
}Request options:
query: Query parametersheaders: Additional headers (non-secret)json: JSON bodybody: Raw bodytimeout: Timeout override (clamped by policy)idempotencyKey: Optional idempotency keyResponse:
$response->statusCode(); // int
$response->headers(); // array
$response->body(); // string
$response->json(); // array (throws on invalid JSON)All requests are validated against the service's security policy:
Every outbound call is logged with metadata:
Request/response bodies and secrets are never logged.
Credentials are:
Secure Outbound supports multiple transport backends:
Uses PSR-18 or Symfony HttpClient. Works everywhere, no special requirements.
Rust-based transport that:
Requires:
ffi.enable=preload configurationSee ADR-013: Rust FFI preload-only mode for security considerations.
For highest security requirements, a separate daemon process can provide stronger isolation. See ADR-016: Sidecar daemon option.
use Netresearch\NrVault\Service\SecureHttpClientInterface;
final class MyApiService
{
public function __construct(
private readonly SecureHttpClientInterface $httpClient,
) {}
public function fetchData(string $resourceId): array
{
$response = $this->httpClient->request(
serviceId: 'my-api',
method: 'GET',
path: '/resources/' . $resourceId,
options: [
'query' => ['include' => 'metadata'],
]
);
return $response->json();
}
}The my-api service and its credentials are configured in the backend
module. The extension code never handles credentials directly.
This section documents significant architectural decisions made during the development of nr-vault, along with the context and consequences of each decision.
Architecture Decision Records (ADRs) capture important decisions along with their context and consequences. They provide a historical record of why certain decisions were made, helping future maintainers understand the codebase.
Table of contents
Table of contents
Accepted
2026-01-03
The nr-vault extension needs a reliable, collision-free identifier format for secrets stored in the vault. These identifiers are:
Initially, a human-readable format was considered
({table}__{field}__{uid}), but this approach has drawbacks:
What identifier format should be used for vault secrets that:
Format: {table}__{field}__{uid} (e.g., tx_myext__api_key__42)
Pros:
Cons:
Format: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
Pros:
Cons:
Format: xxxxxxxx-xxxx-7xxx-yxxx-xxxxxxxxxxxx
Pros:
Cons:
Similar to UUID v4 but with different byte ordering.
Pros:
Cons:
We chose UUID v7 because:
private function generateUuid(): string
{
// 48-bit timestamp in milliseconds
$time = (int) (microtime(true) * 1000);
$random = random_bytes(10);
return sprintf(
'%08x-%04x-7%03x-%04x-%012x',
($time >> 16) & 0xFFFFFFFF,
$time & 0xFFFF,
ord($random[0]) << 4 | ord($random[1]) >> 4 & 0x0FFF,
(ord($random[1]) & 0x0F) << 8 | ord($random[2]) & 0x3FFF | 0x8000,
(ord($random[3]) << 40) | (ord($random[4]) << 32)
| (ord($random[5]) << 24) | (ord($random[6]) << 16)
| (ord($random[7]) << 8) | ord($random[8]),
);
}Pattern used to validate UUID v7 identifiers:
private const string UUID_PATTERN =
'/^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i';
public static function isVaultIdentifier(mixed $value): bool
{
if (!is_string($value) || $value === '') {
return false;
}
return preg_match(self::UUID_PATTERN, $value) === 1;
}Valid UUID v7 examples:
01937b6e-4b6c-7abc-8def-0123456789ab
01937b6f-0000-7000-8000-000000000000
01937b6f-ffff-7fff-bfff-ffffffffffff
The format components:
7)8, 9, a, or b)Table of contents
Accepted
2026-01-03
The nr-vault extension needs to encrypt secrets at rest in the database. The encryption approach must:
How should secrets be encrypted to provide strong security while enabling efficient operations like key rotation?
Encrypt each secret directly with the master key.
Pros:
Cons:
Two-layer encryption: unique Data Encryption Key (DEK) per secret, encrypted with Master Key (KEK).
Pros:
Cons:
We chose envelope encryption with AES-256-GCM (primary) or XChaCha20-Poly1305 (fallback) because:
1. Generate unique DEK (32 bytes) for the secret
2. Generate two random nonces (12 or 24 bytes each)
3. Encrypt DEK with master key: encryptedDek = AEAD(DEK, masterKey, dekNonce)
4. Encrypt secret with DEK: encryptedValue = AEAD(secret, DEK, valueNonce)
5. Calculate SHA-256 checksum for change detection
6. Clear sensitive data from memory (sodium_memzero)
7. Store: encryptedValue, encryptedDek, dekNonce, valueNonce, checksum1. Retrieve master key from provider
2. Decrypt DEK: DEK = AEAD_decrypt(encryptedDek, masterKey, dekNonce)
3. Decrypt secret: secret = AEAD_decrypt(encryptedValue, DEK, valueNonce)
4. Clear DEK and master key from memory
5. Return plaintext secretprivate function useAes256Gcm(): bool
{
// Use AES-256-GCM if hardware acceleration available
// Otherwise fall back to XChaCha20-Poly1305
if (!sodium_crypto_aead_aes256gcm_is_available()) {
return false;
}
return !$this->configuration->preferXChaCha20();
}
private function getNonceLength(): int
{
return $this->useAes256Gcm()
? SODIUM_CRYPTO_AEAD_AES256GCM_NPUBBYTES // 12 bytes
: SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES; // 24 bytes
}try {
$dek = $this->generateDek();
$encryptedValue = $this->encryptWithKey($plaintext, $dek, $valueNonce);
// ... store encrypted data
} finally {
sodium_memzero($dek);
sodium_memzero($masterKey);
sodium_memzero($plaintext);
}With envelope encryption, rotating the master key is efficient:
public function reEncryptDek(
string $encryptedDek,
string $dekNonce,
string $identifier,
string $oldMasterKey,
string $newMasterKey,
): array {
// Decrypt DEK with old master key
$dek = $this->decryptDek($encryptedDek, $dekNonce, $identifier, $oldMasterKey);
// Re-encrypt DEK with new master key
$newNonce = random_bytes($this->getNonceLength());
$newEncryptedDek = $this->encryptWithKey($dek, $newMasterKey, $newNonce);
sodium_memzero($dek);
return ['encrypted_dek' => $newEncryptedDek, 'dek_nonce' => $newNonce];
}encrypted_value mediumblob, -- AEAD ciphertext + auth tag
encrypted_dek text, -- Base64-encoded encrypted DEK
dek_nonce varchar(24) NOT NULL, -- Base64-encoded DEK nonce
value_nonce varchar(24) NOT NULL, -- Base64-encoded value nonce
encryption_version int unsigned, -- For algorithm migrations
value_checksum char(64) NOT NULL, -- SHA-256 for change detectionTable of contents
Accepted
2026-01-03
The envelope encryption system (see ADR-002: Envelope encryption) requires a master key to encrypt Data Encryption Keys (DEKs). The master key management approach must:
How should the master key be stored, retrieved, and rotated across different deployment scenarios?
Always derive from TYPO3's encryption key.
Pros:
Cons:
Interface-based providers with factory pattern for selection.
Pros:
Cons:
We chose a pluggable provider system with three built-in providers:
This provides zero-config operation while enabling enterprise deployments.
interface MasterKeyProviderInterface
{
public function getIdentifier(): string;
public function isAvailable(): bool;
public function getMasterKey(): string;
public function storeMasterKey(string $key): void;
public function generateMasterKey(): string;
}Uses HKDF-SHA256 to derive a vault-specific key from TYPO3's encryption key:
final class Typo3MasterKeyProvider implements MasterKeyProviderInterface
{
private const int KEY_LENGTH = 32;
private const string HKDF_INFO = 'nr-vault-master-key';
public function getMasterKey(): string
{
$encryptionKey = $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'];
return hash_hkdf(
'sha256',
$encryptionKey,
self::KEY_LENGTH,
self::HKDF_INFO,
);
}
}The HKDF context string nr-vault-master-key ensures the derived key is
unique to nr-vault even if other extensions use the same derivation pattern.
Reads a 32-byte key from a file with strict permission requirements:
public function getMasterKey(): string
{
$key = file_get_contents($this->keyPath);
$key = trim($key); // Remove trailing newlines
// Handle base64-encoded keys
if (strlen($key) !== self::KEY_LENGTH) {
$decoded = base64_decode($key, true);
if ($decoded !== false && strlen($decoded) === self::KEY_LENGTH) {
return $decoded;
}
}
return $key;
}
public function storeMasterKey(string $key): void
{
file_put_contents($this->keyPath, base64_encode($key));
chmod($this->keyPath, 0o400); // Read-only for owner
}Reads key from environment variable (default: NR_VAULT_MASTER_KEY):
public function getMasterKey(): string
{
$key = getenv($this->envVarName);
if ($key === false || $key === '') {
throw MasterKeyException::environmentVariableNotSet($this->envVarName);
}
// Handle base64-encoded keys
$decoded = base64_decode($key, true);
if ($decoded !== false && strlen($decoded) === self::KEY_LENGTH) {
return $decoded;
}
return $key;
}public function getAvailableProvider(): MasterKeyProviderInterface
{
// 1. Try explicitly configured provider
$configured = $this->configuration->getMasterKeyProvider();
if ($configured && $this->providers[$configured]->isAvailable()) {
return $this->providers[$configured];
}
// 2. Fallback chain: typo3 -> env -> file
foreach (['typo3', 'env', 'file'] as $id) {
if ($this->providers[$id]->isAvailable()) {
return $this->providers[$id];
}
}
// 3. Return TYPO3 provider (will fail with clear error)
return $this->providers['typo3'];
}$GLOBALS['TYPO3_CONF_VARS']['EXTENSIONS']['nr_vault'] = [
'masterKeyProvider' => 'typo3', // typo3, file, or env
'masterKeySource' => 'NR_VAULT_MASTER_KEY', // env var or file path
'autoKeyPath' => 'var/secrets/vault-master.key', // auto-generated key
];# Dry run first
vendor/bin/typo3 vault:rotate-master-key --dry-run
# Execute rotation
vendor/bin/typo3 vault:rotate-master-key \
--old-key=/path/to/old.key \
--new-key=/path/to/new.key \
--confirmThe rotation process:
MasterKeyRotatedEvent encryptionKey breaks vault accessTable of contents
Accepted
2026-01-03
TYPO3 extensions commonly store sensitive data (API keys, credentials, tokens) in database fields configured via TCA. The nr-vault extension needs to provide a seamless way to store these values securely without requiring extensions to rewrite their data handling.
The integration must:
How should nr-vault integrate with TYPO3's TCA system to transparently encrypt sensitive fields while maintaining standard TYPO3 workflows?
Create a completely new TCA field type.
Pros:
Cons:
Override the default input field rendering globally.
Pros:
Cons:
Provide a renderType for FormEngine and intercept saves via hooks.
Pros:
renderType: 'vaultSecret')Cons:
We chose custom renderType with DataHandler hooks because:
renderType: 'vaultSecret'
are encryptedfinal class VaultSecretElement extends AbstractFormElement
{
public function render(): array
{
// Render password field with:
// - Masked display (dots)
// - Reveal button (permission-based)
// - Copy button (permission-based)
// - Hidden field for vault identifier
}
}Registration in ext_:
$GLOBALS['TYPO3_CONF_VARS']['SYS']['formEngine']['nodeRegistry'][1735400000] = [
'nodeName' => 'vaultSecret',
'priority' => 40,
'class' => VaultSecretElement::class,
];final class DataHandlerHook
{
// Before save: Extract secret, generate UUID, queue for storage
public function processDatamap_preProcessFieldArray(...): void
{
foreach ($this->getVaultFields($table) as $field) {
if ($this->hasSecretValue($fieldArray, $field)) {
$uuid = $this->generateUuid();
$this->pendingSecrets[$table][$id][$field] = [
'uuid' => $uuid,
'value' => $fieldArray[$field]['value'],
];
$fieldArray[$field] = $uuid; // Store UUID in database
}
}
}
// After save: Store secrets with correct UID
public function processDatamap_afterDatabaseOperations(...): void
{
foreach ($this->pendingSecrets[$table][$id] as $field => $data) {
$this->vaultService->store($data['uuid'], $data['value'], [
'metadata' => [
'table' => $table,
'field' => $field,
'uid' => $recordUid,
'source' => 'tca_field',
],
]);
}
}
// Before delete: Remove associated secrets
public function processCmdmap_preProcess(...): void;
// After copy: Create new secrets for copied record
public function processCmdmap_postProcess(...): void;
}Separate hook for FlexForm fields due to different data structure:
final class FlexFormVaultHook
{
public function processDatamap_preProcessFieldArray(...): void
{
// Recursively scan FlexForm XML for vaultSecret fields
// Same UUID-based approach as TCA fields
// Store metadata: flexField, sheet, fieldPath
}
}Extensions add vault support with one line:
'api_key' => [
'label' => 'API Key',
'config' => [
'type' => 'input',
'renderType' => 'vaultSecret', // This one line
'size' => 30,
],
],Helper for common patterns:
use Netresearch\NrVault\TCA\VaultFieldHelper;
'api_key' => VaultFieldHelper::getSecureFieldConfig('API Key'),Form Display:
1. VaultSecretElement renders password field
2. If UUID exists, shows masked value with reveal option
3. JavaScript handles reveal/copy interactions
Form Submit:
1. DataHandlerHook.preProcess extracts secret value
2. Generates UUID v7 identifier (see ADR-001)
3. Sets field value to UUID (for database)
4. DataHandlerHook.afterDatabaseOperations stores secret in vault
Record Delete:
1. DataHandlerHook.processCmdmap_preProcess finds vault fields
2. Retrieves UUIDs from record
3. Deletes corresponding vault secrets
Record Copy:
1. DataHandlerHook.processCmdmap_postProcess detects copy
2. Retrieves source secrets by UUID
3. Creates new secrets with new UUIDs for copied recorduse Netresearch\NrVault\Utility\VaultFieldResolver;
// Resolve specific fields
$resolved = VaultFieldResolver::resolveFields($record, ['api_key']);
// Auto-detect vault fields from TCA
$resolved = VaultFieldResolver::resolveRecord('tx_myext_settings', $record);renderType to existing fieldsTable of contents
Accepted
2026-01-03
Secrets in the vault may contain highly sensitive data (API keys, passwords, certificates). Access to these secrets must be controlled to:
How should access to vault secrets be controlled in a way that integrates naturally with TYPO3's backend user system?
Inherit permissions from the page tree where secrets are stored.
Pros:
Cons:
Build a separate permission system specific to vault.
Pros:
Cons:
Each secret has an owner (backend user) and allowed groups (backend groups).
Pros:
Cons:
We chose Owner/Group model with TYPO3 integration because:
Access Decision Tree:
1. Is user a TYPO3 admin or system maintainer?
→ YES: ALLOW (full access)
2. Is user the secret's owner (owner_uid)?
→ YES: ALLOW (full access)
3. Is user a member of any allowed_groups?
→ YES: ALLOW (read/write access)
4. Is this a CLI/scheduler context with CLI access enabled?
→ YES: Check CLI access groups
→ Group matches: ALLOW
5. Is this frontend context with frontend_accessible=true?
→ YES: ALLOW (read only)
6. Default: DENY-- Single owner
owner_uid int(11) unsigned DEFAULT 0 NOT NULL,
-- Multiple groups (many-to-many)
allowed_groups text,
-- Frontend access flag
frontend_accessible tinyint(1) unsigned DEFAULT 0 NOT NULL,
-- Permission scoping
context varchar(50) DEFAULT '' NOT NULL,
scope_pid int(11) unsigned DEFAULT 0 NOT NULL,
-- Many-to-many relation table
CREATE TABLE tx_nrvault_secret_begroups_mm (
uid_local int(11) unsigned, -- Secret UID
uid_foreign int(11) unsigned, -- Backend group UID
);final readonly class AccessControlService implements AccessControlServiceInterface
{
public function canRead(Secret $secret): bool
{
return $this->checkAccess($secret);
}
public function canWrite(Secret $secret): bool
{
return $this->checkAccess($secret);
}
public function canDelete(Secret $secret): bool
{
return $this->checkAccess($secret);
}
private function checkAccess(Secret $secret): bool
{
$backendUser = $GLOBALS['BE_USER'] ?? null;
if ($backendUser === null) {
return $this->checkCliAccess($secret);
}
// Admins and system maintainers have full access
if ($backendUser->isAdmin() || $backendUser->isSystemMaintainer()) {
return true;
}
// Owner has full access
$userUid = (int) ($backendUser->user['uid'] ?? 0);
if ($userUid === $secret->getOwnerUid()) {
return true;
}
// Check group membership
$userGroups = $backendUser->userGroupsUID ?? [];
$allowedGroups = $secret->getAllowedGroups();
return count(array_intersect($userGroups, $allowedGroups)) > 0;
}
}Access checks are enforced in
Vault:
public function retrieve(string $identifier): ?string
{
$secret = $this->repository->findByIdentifier($identifier);
if (!$this->accessControl->canRead($secret)) {
$this->auditLog->log($identifier, 'access_denied', false);
throw new AccessDeniedException('Access denied');
}
// ... decrypt and return
}
public function delete(string $identifier, string $reason = ''): void
{
$secret = $this->repository->findByIdentifier($identifier);
if (!$this->accessControl->canDelete($secret)) {
throw new AccessDeniedException('Delete access denied');
}
// ... delete secret
}'owner_uid' => [
'label' => 'Owner',
'config' => [
'type' => 'group',
'allowed' => 'be_users',
'maxitems' => 1,
],
],
'allowed_groups' => [
'label' => 'Allowed Groups',
'config' => [
'type' => 'group',
'allowed' => 'be_groups',
'MM' => 'tx_nrvault_secret_begroups_mm',
'maxitems' => 20,
],
],public function getCurrentActorUid(): int
{
return (int) ($GLOBALS['BE_USER']->user['uid'] ?? 0);
}
public function getCurrentActorType(): string
{
if (Environment::isCli()) {
return 'cli';
}
if ($GLOBALS['BE_USER'] ?? null) {
return 'backend';
}
return 'api';
}Additional UI-level control via TSconfig:
vault.permissions {
default {
reveal = 1
copy = 1
edit = 1
readOnly = 0
}
tx_myext_settings.api_key {
reveal = 0
copy = 0
}
}Table of contents
Accepted
2026-01-03
Secret management systems require comprehensive audit trails for:
The audit system must capture who accessed what, when, and from where, while being tamper-evident to ensure log integrity.
How should vault operations be logged to provide complete auditability while preventing log tampering?
Use TYPO3's built-in logging system.
Pros:
Cons:
Send logs to external SIEM (Splunk, ELK, etc.).
Pros:
Cons:
Custom table with tamper-evident hash chain linking entries.
Pros:
Cons:
We chose dedicated audit table with hash chain combined with PSR-14 events because:
final readonly class AuditLogEntry implements JsonSerializable
{
public function __construct(
public ?int $uid,
public string $secretIdentifier,
public string $action, // create, read, update, delete, rotate
public bool $success,
public ?string $errorMessage,
public ?string $reason,
public int $actorUid,
public string $actorType, // backend, cli, api, scheduler
public string $actorUsername,
public string $actorRole,
public string $ipAddress,
public string $userAgent,
public string $requestId,
public string $previousHash, // Links to prior entry
public string $entryHash, // SHA-256 of this entry
public string $hashBefore, // Value checksum before
public string $hashAfter, // Value checksum after
public int $crdate,
public array $context, // Structured JSON metadata
) {}
}Note
As of ADR-023: Audit hash chain HMAC consideration, the hash chain uses
HMAC-SHA256 keyed with an HKDF-derived key from the master key.
New entries (epoch 1+) use hash_hmac() instead of plain hash().
Legacy entries (epoch 0) remain verifiable with the original SHA-256
algorithm.
Each entry's hash includes the previous entry's hash, creating an unbroken chain:
private function calculateEntryHash(AuditLogEntry $entry, string $hmacKey): string
{
$data = implode('|', [
$entry->uid,
$entry->secretIdentifier,
$entry->action,
$entry->actorUid,
$entry->crdate,
$entry->previousHash,
]);
return hash_hmac('sha256', $data, $hmacKey);
}
public function verifyHashChain(?int $fromUid = null, ?int $toUid = null): array
{
$entries = $this->getEntriesInRange($fromUid, $toUid);
$errors = [];
foreach ($entries as $i => $entry) {
// Verify entry hash
$expectedHash = $this->calculateEntryHash($entry);
if ($entry->entryHash !== $expectedHash) {
$errors[$entry->uid] = 'Hash mismatch';
}
// Verify chain link
if ($i > 0 && $entry->previousHash !== $entries[$i - 1]->entryHash) {
$errors[$entry->uid] = 'Chain break';
}
}
return ['valid' => empty($errors), 'errors' => $errors];
}CREATE TABLE tx_nrvault_audit_log (
uid int(11) unsigned NOT NULL auto_increment,
-- What happened
secret_identifier varchar(255) NOT NULL,
action varchar(50) NOT NULL,
success tinyint(1) unsigned DEFAULT 1 NOT NULL,
error_message text,
reason text,
-- Who did it
actor_uid int(11) unsigned DEFAULT 0 NOT NULL,
actor_type varchar(50) NOT NULL,
actor_username varchar(255) NOT NULL,
actor_role varchar(100) NOT NULL,
-- Context
ip_address varchar(45) NOT NULL,
user_agent varchar(500) NOT NULL,
request_id varchar(100) NOT NULL,
-- Tamper detection
previous_hash varchar(64) NOT NULL,
entry_hash varchar(64) NOT NULL,
-- Change tracking
hash_before char(64) NOT NULL,
hash_after char(64) NOT NULL,
-- Metadata
crdate int(11) unsigned NOT NULL,
context text,
PRIMARY KEY (uid),
KEY secret_identifier (secret_identifier),
KEY action (action),
KEY actor_uid (actor_uid),
KEY crdate (crdate)
);// All vault operations:
'create' // New secret stored
'read' // Secret retrieved/decrypted
'update' // Secret value changed
'delete' // Secret removed
'rotate' // Secret rotated with new value
'access_denied' // Permission check failed
'http_call' // VaultHttpClient API callfinal readonly class AuditLogService implements AuditLogServiceInterface
{
public function log(
string $identifier,
string $action,
bool $success,
?string $errorMessage = null,
?string $reason = null,
?string $hashBefore = null,
?string $hashAfter = null,
?AuditContextInterface $context = null,
): void;
public function query(
?AuditLogFilter $filter = null,
int $limit = 100,
int $offset = 0,
): array;
public function count(?AuditLogFilter $filter = null): int;
public function verifyHashChain(?int $fromUid = null, ?int $toUid = null): array;
public function export(?AuditLogFilter $filter = null): array;
}$filter = AuditLogFilter::forSecret('my_api_key')
->withAction('read')
->withDateRange($startTime, $endTime)
->withSuccess(true);
$entries = $auditService->query($filter, limit: 50);Events dispatched after logging for external integration:
SecretCreatedEvent // identifier, secret, actorUid
SecretAccessedEvent // identifier, actorUid, context
SecretUpdatedEvent // identifier, version, actorUid
SecretDeletedEvent // identifier, actorUid, reason
SecretRotatedEvent // identifier, newVersion, actorUid, reason
MasterKeyRotatedEvent // secretsReEncrypted, actorUid, rotatedAtExample listener:
final class SlackNotifier
{
public function __invoke(SecretAccessedEvent $event): void
{
if ($event->getContext() === 'production') {
$this->slack->notify("Secret accessed: {$event->getIdentifier()}");
}
}
}Type-safe context for structured metadata:
final readonly class HttpCallContext implements AuditContextInterface
{
public function __construct(
public string $method,
public string $host,
public string $path,
public int $statusCode,
) {}
public static function fromRequest(
string $method,
string $url,
int $statusCode,
): self;
}Table of contents
Accepted
2026-01-03
Vault secrets need associated metadata for:
This metadata must be queryable without decrypting secrets.
How should secret metadata be stored and structured to enable efficient queries and management without exposing encrypted values?
Store metadata inside the encrypted blob.
Pros:
Cons:
Store metadata in a separate linked table.
Pros:
Cons:
Store metadata as plaintext columns in the same table as encrypted data.
Pros:
Cons:
We chose metadata columns alongside encrypted value because:
final class Secret
{
// Identification
private ?int $uid = null;
private string $identifier = '';
private string $description = '';
// Encrypted data (only sensitive part)
private ?string $encryptedValue = null;
private string $encryptedDek = '';
private string $dekNonce = '';
private string $valueNonce = '';
private string $valueChecksum = '';
private int $encryptionVersion = 1;
// Access control (plaintext, needed for permission checks)
private int $ownerUid = 0;
private array $allowedGroups = [];
private string $context = '';
private bool $frontendAccessible = false;
// Lifecycle (plaintext, needed for queries)
private int $version = 1;
private int $expiresAt = 0;
private int $lastRotatedAt = 0;
private int $readCount = 0;
private int $lastReadAt = 0;
// Storage
private string $adapter = 'local';
private string $externalReference = '';
private int $scopePid = 0;
// TYPO3 standard fields
private int $pid = 0;
private int $crdate = 0;
private int $tstamp = 0;
private int $cruserId = 0;
private bool $deleted = false;
private bool $hidden = false;
// Custom metadata (JSON)
private array $metadata = [];
}CREATE TABLE tx_nrvault_secret (
-- Primary key
uid int(11) unsigned NOT NULL auto_increment,
-- Identification (queryable)
identifier varchar(255) NOT NULL,
description text,
-- Encrypted data (protected)
encrypted_value mediumblob,
encrypted_dek text,
dek_nonce varchar(24) NOT NULL,
value_nonce varchar(24) NOT NULL,
encryption_version int(11) unsigned DEFAULT 1,
value_checksum char(64) NOT NULL,
-- Access control (queryable, not sensitive)
owner_uid int(11) unsigned DEFAULT 0,
allowed_groups text,
context varchar(50) DEFAULT '',
frontend_accessible tinyint(1) unsigned DEFAULT 0,
-- Lifecycle (queryable)
version int(11) unsigned DEFAULT 1,
expires_at int(11) unsigned DEFAULT 0,
last_rotated_at int(11) unsigned DEFAULT 0,
read_count int(11) unsigned DEFAULT 0,
last_read_at int(11) unsigned DEFAULT 0,
-- Storage adapter
adapter varchar(50) DEFAULT 'local',
external_reference varchar(500) DEFAULT '',
scope_pid int(11) unsigned DEFAULT 0,
-- Custom metadata (JSON)
metadata text,
-- TYPO3 standard
pid int(11) DEFAULT 0,
tstamp int(11) unsigned DEFAULT 0,
crdate int(11) unsigned DEFAULT 0,
cruser_id int(11) unsigned DEFAULT 0,
deleted tinyint(1) unsigned DEFAULT 0,
hidden tinyint(1) unsigned DEFAULT 0,
PRIMARY KEY (uid),
UNIQUE KEY identifier (identifier, deleted),
KEY owner_uid (owner_uid),
KEY context (context),
KEY expires_at (expires_at),
KEY adapter (adapter)
);Identification:
identifier - Unique secret name (queryable)description - Human-readable descriptionAccess Control:
owner_uid - Backend user who owns the secretallowed_groups - Backend groups with accesscontext - Permission scoping context (e.g., "payment", "reporting")frontend_accessible - Allow frontend accessLifecycle:
version - Incremented on rotationexpires_at - Unix timestamp for expiration (0 = never)last_rotated_at - Last rotation timestampread_count - Total access countlast_read_at - Last access timestampStorage:
adapter - Storage backend (currently: local; planned: hashicorp, aws, azure)external_reference - Reference for external adapters (reserved for future use)scope_pid - TYPO3 page for hierarchical scopingCustom:
metadata - JSON object for application-specific datapublic function getMetadata(string $identifier): array
{
$secret = $this->repository->findByIdentifier($identifier);
// No decryption needed - metadata is plaintext
return [
'uid' => $secret->getUid(),
'identifier' => $secret->getIdentifier(),
'description' => $secret->getDescription(),
'owner' => $secret->getOwnerUid(),
'groups' => $secret->getAllowedGroups(),
'context' => $secret->getContext(),
'version' => $secret->getVersion(),
'createdAt' => $secret->getCrdate(),
'updatedAt' => $secret->getTstamp(),
'expiresAt' => $secret->getExpiresAt(),
'lastRotatedAt' => $secret->getLastRotatedAt(),
'metadata' => $secret->getMetadata(),
'scopePid' => $secret->getScopePid(),
];
}
public function updateMetadata(string $identifier, array $metadata): void
{
// Update metadata without touching encrypted value
$secret = $this->repository->findByIdentifier($identifier);
if (isset($metadata['description'])) {
$secret->setDescription($metadata['description']);
}
if (isset($metadata['context'])) {
$secret->setContext($metadata['context']);
}
// ... other metadata fields
$this->repository->save($secret);
}public function retrieve(string $identifier): ?string
{
$secret = $this->repository->findByIdentifier($identifier);
// Check expiration from metadata (no decryption)
if ($secret->isExpired()) {
throw new SecretExpiredException($identifier);
}
// Check access from metadata (no decryption)
if (!$this->accessControl->canRead($secret)) {
throw new AccessDeniedException();
}
// Only now decrypt
return $this->decrypt($secret);
}$vault->store('api_key', $value, [
'metadata' => [
'source' => 'tca_field',
'table' => 'tx_myext_settings',
'field' => 'api_key',
'uid' => 42,
'environment' => 'production',
],
]);
// Query by custom metadata
$secrets = $vault->list();
$tcaSecrets = array_filter($secrets, fn($s) =>
($s['metadata']['source'] ?? '') === 'tca_field'
);Table of contents
Accepted
2026-01-03
Applications often need to make authenticated HTTP requests to external APIs using secrets stored in the vault. The typical pattern exposes secrets to application code:
$apiKey = $vault->retrieve('stripe_api_key');
$client->request('POST', '/charges', [
'headers' => ['Authorization' => 'Bearer ' . $apiKey],
]);
// $apiKey remains in memory, possibly loggedThis approach:
How can applications make authenticated HTTP requests using vault secrets without exposing the secret values to application code?
Factory methods that return pre-configured HTTP clients.
Pros:
Cons:
Middleware that injects credentials into requests.
Pros:
Cons:
Immutable wrapper implementing PSR-18 with authentication configuration.
Pros:
Cons:
We chose PSR-18 wrapper with fluent authentication API because:
with* call returns new instance, preventing state issuessodium_memzero() clears secrets after injectioninterface VaultHttpClientInterface extends ClientInterface
{
public function withAuthentication(
string $secretIdentifier,
SecretPlacement $placement = SecretPlacement::Bearer,
array $options = [],
): static;
public function withOAuth(OAuthConfig $config, string $reason = ''): static;
public function withReason(string $reason): static;
}Type-safe authentication placement options:
enum SecretPlacement: string
{
case Bearer = 'bearer'; // Authorization: Bearer {secret}
case BasicAuth = 'basic'; // Authorization: Basic {base64}
case Header = 'header'; // Custom header
case QueryParam = 'query'; // URL query parameter
case BodyField = 'body_field'; // Request body field
case OAuth2 = 'oauth2'; // OAuth 2.0 with token refresh
case ApiKey = 'api_key'; // X-API-Key header
}use GuzzleHttp\Psr7\Request;
use Netresearch\NrVault\Http\SecretPlacement;
// Bearer authentication
$response = $this->httpClient
->withAuthentication('stripe_api_key', SecretPlacement::Bearer)
->sendRequest(new Request('POST', 'https://api.stripe.com/v1/charges'));
// Custom header
$response = $this->httpClient
->withAuthentication('api_token', SecretPlacement::Header, [
'headerName' => 'X-API-Key',
])
->sendRequest(new Request('GET', 'https://api.example.com/data'));
// Basic authentication with two secrets
$response = $this->httpClient
->withAuthentication('service_password', SecretPlacement::BasicAuth, [
'usernameSecret' => 'service_username',
'reason' => 'Fetching secure data',
])
->sendRequest(new Request('GET', 'https://api.example.com/secure'));final readonly class VaultHttpClient implements VaultHttpClientInterface
{
public function __construct(
private VaultServiceInterface $vaultService,
private AuditLogServiceInterface $auditLogService,
private ?ClientInterface $innerClient = null,
private ?string $secretIdentifier = null,
private ?SecretPlacement $placement = null,
// ... other configuration
) {}
public function withAuthentication(
string $secretIdentifier,
SecretPlacement $placement = SecretPlacement::Bearer,
array $options = [],
): static {
// Return NEW instance with updated configuration
return new self(
$this->vaultService,
$this->auditLogService,
$this->innerClient,
$secretIdentifier,
$placement,
// ... merge options
);
}
public function sendRequest(RequestInterface $request): ResponseInterface
{
// Inject authentication into request
$request = $this->injectAuthentication($request);
// Send request
$response = $this->getInnerClient()->sendRequest($request);
// Audit log (secret identifier, not value)
$this->logHttpCall($request, $response);
return $response;
}
}private function injectBearer(RequestInterface $request): RequestInterface
{
$secret = $this->vaultService->retrieve($this->secretIdentifier);
try {
return $request->withHeader('Authorization', 'Bearer ' . $secret);
} finally {
sodium_memzero($secret); // Clear from memory immediately
}
}
private function injectBasicAuth(RequestInterface $request): RequestInterface
{
$password = $this->vaultService->retrieve($this->secretIdentifier);
$username = $this->usernameSecretIdentifier
? $this->vaultService->retrieve($this->usernameSecretIdentifier)
: '';
try {
$credentials = base64_encode($username . ':' . $password);
return $request->withHeader('Authorization', 'Basic ' . $credentials);
} finally {
sodium_memzero($password);
if ($username !== '') {
sodium_memzero($username);
}
}
}$config = OAuthConfig::clientCredentials(
tokenUrl: 'https://oauth.example.com/token',
clientIdSecret: 'oauth_client_id',
clientSecretSecret: 'oauth_client_secret',
scopes: ['read', 'write'],
);
$response = $this->httpClient
->withOAuth($config, 'API access')
->sendRequest($request);The
OAuth handles:
final class SecureHttpClientFactory
{
public function create(): ClientInterface
{
return new Client([
'debug' => false, // Never log request/response bodies
'http_errors' => false, // Handle errors in vault client
// Respect TYPO3 HTTP settings
'proxy' => $GLOBALS['TYPO3_CONF_VARS']['HTTP']['proxy'] ?? null,
'verify' => $GLOBALS['TYPO3_CONF_VARS']['HTTP']['verify'] ?? true,
'timeout' => $GLOBALS['TYPO3_CONF_VARS']['HTTP']['timeout'] ?? 30,
]);
}
}private function logHttpCall(RequestInterface $request, ResponseInterface $response): void
{
$this->auditLogService->log(
$this->secretIdentifier, // Which secret was used
'http_call',
$response->getStatusCode() < 400, // Success flag
null,
$this->reason,
context: HttpCallContext::fromRequest(
$request->getMethod(),
(string) $request->getUri(),
$response->getStatusCode(),
),
);
}sodium_memzero() clears secrets immediatelydebug: false prevents request/response loggingtry/finally to ensure cleanup even on exceptionsTable of contents
Accepted
2026-01-04
TYPO3 extensions commonly store API keys and credentials in extension settings
(defined in ext_, managed via
Admin Tools > Settings > Extension Configuration).
These settings are stored in the database (
sys_ table in v12+)
and loaded into
$GLOBALS at runtime.
afterExtensionConfigurationWrite signal
was removed in v9.$GLOBALS persist for the
entire request lifecycle. Storing actual secrets there defeats vault's
security model (immediate memory cleanup via sodium_memzero).type=user[...] allows custom rendering,
there's no hook into the save/load lifecycle to intercept values.Store vault identifiers (not secrets) in extension settings. The identifier
is resolved to the actual secret only at use time via
Vault.
Two patterns are supported depending on use case:
For settings that are always vault references:
my_translation_api_keyUsed directly with
with:
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
// Pattern A: Direct identifier usage
// Extension setting value: my_translation_api_key
$vault->http()
->withAuthentication($config['apiKey'], SecretPlacement::Bearer)
->sendRequest($request);
Advantages:
For mixed settings, explicit documentation, or migration from plaintext to vault:
vault:my_translation_api_keyParsed with
Vault helper:
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
// Pattern B: Prefixed reference usage
// Extension setting value: vault:my_translation_api_key
$ref = VaultReference::tryParse($config['apiKey']);
if ($ref !== null) {
$vault->http()
->withAuthentication($ref->identifier, SecretPlacement::Bearer)
->sendRequest($request);
}
Advantages:
Extension settings template:
# cat=api; type=string; label=API Key (Vault Identifier): Enter your vault secret identifier
apiKey =
# cat=api; type=string; label=API Endpoint
apiEndpoint = https://api.translate.example.com/v1
Service implementation:
<?php
/*
* Copyright (c) 2025-2026 Netresearch DTT GmbH
* SPDX-License-Identifier: GPL-2.0-or-later
*/
declare(strict_types=1);
namespace Acme\AcmeTranslate\Service;
use Netresearch\NrVault\Http\SecretPlacement;
use Netresearch\NrVault\Service\VaultServiceInterface;
use TYPO3\CMS\Core\Configuration\ExtensionConfiguration;
use TYPO3\CMS\Core\Http\RequestFactory;
final class TranslationService
{
private string $apiKey;
private string $apiEndpoint;
public function __construct(
private readonly VaultServiceInterface $vault,
private readonly RequestFactory $requestFactory,
ExtensionConfiguration $extensionConfiguration,
) {
$config = $extensionConfiguration->get('acme_translate');
$this->apiKey = (string) ($config['apiKey'] ?? '');
$this->apiEndpoint = (string) ($config['apiEndpoint'] ?? '');
}
public function translate(string $text, string $targetLang): string
{
if ($this->apiKey === '') {
throw new \RuntimeException(
'Translation API key not configured in extension settings.',
1735990000
);
}
$request = $this->requestFactory
->createRequest('POST', $this->apiEndpoint . '/translate')
->withHeader('Content-Type', 'application/json')
->withBody(\GuzzleHttp\Psr7\Utils::streamFor(json_encode([
'text' => $text,
'target' => $targetLang,
])));
// $this->apiKey contains vault identifier, resolved at request time
$response = $this->vault->http()
->withAuthentication($this->apiKey, SecretPlacement::Bearer)
->withReason('Translation request: ' . $targetLang)
->sendRequest($request);
$data = json_decode($response->getBody()->getContents(), true);
return $data['translation'] ?? '';
}
}
Setup via backend:
Create secret in vault:
acme_translate_api_keyConfigure extension:
acme_translate_api_keyVia CLI (alternative):
./vendor/bin/typo3 vault:store acme_translate_api_key "your-actual-api-key"The extension setting stores only the identifier, never the secret:
sys_registry (extension config):
apiKey = "acme_translate_api_key" ← Just the identifier
tx_nrvault_secret (vault):
identifier = "acme_translate_api_key"
encrypted_value = [AES-256-GCM encrypted actual key]Even if someone accidentally enters the actual API key in extension settings:
withAuthentication('sk_live_abc123...') tries vault lookupRejected because:
$GLOBALS for entire requestsodium_memzero() cleanup possible# type=user[Netresearch\NrVault\Configuration\VaultSecretField->render]
apiKey =Rejected because:
Table of contents
Accepted
2026-01-12
We need a TYPO3-wide solution for outbound service calls that centralizes:
There are two organizational packaging options:
t3x-nr-secure-http) and let nr-vault consume it, ort3x-nr-vault directly with Service Registry + SecureHttpClient.We will implement Secure Outbound inside nr-vault as a first-class feature:
ServiceRegistryServiceCredentialSetServiceSecureHttpClientInterface + default transportOther extensions (nr-llm, shipping integrations, custom extensions) will depend on nr-vault for outbound calls.
Create t3x-nr-secure-http with nr-vault as a dependency.
Rejected because it complicates adoption, creates unclear ownership boundaries, and risks cycles later.
Create a standalone extension with no dependency on nr-vault.
Rejected because it duplicates encryption/audit/ACL capabilities and becomes "yet another secret store".
If a future scenario demands it, we can still split packages later, but the MVP should optimize for clarity and adoption.
Table of contents
Accepted
2026-01-12
nr-vault currently stores atomic secrets (single values). Real integrations often require a set of related fields (e.g. OAuth2 client credentials: client_id, client_secret, token_url, scopes). Managing these as separate secrets is error-prone and lacks semantic validation.
We need a "Credential Set" concept while preserving the existing tx_nrvault_secret
primitive and its encryption/audit semantics.
We will introduce a new table/concept tx_nrvault_credential_set and define:
tx_nrvault_secret remains the primitive encrypted storage unit (atomic, type-agnostic)tx_nrvault_credential_set becomes a typed wrapper that references exactly
one secret row via secret_uidCredential sets do not replace tx_nrvault_secret. They build on top of it.
Bearer token:
{"token": "sk-abc123..."}OAuth2 Client Credentials:
{
"client_id": "my-client",
"client_secret": "secret123",
"token_url": "https://oauth.example.com/token",
"scopes": ["read", "write"]
}Credential set as parent, multiple child secrets.
Rejected for MVP: more joins and complexity; awkward for FFI integration (multiple blobs); unclear audit semantics.
No secret FK, store encryption directly in tx_nrvault_credential_set.
Rejected: duplicates encryption/audit logic and creates two competing secret stores.
Link secrets via tags or metadata.
Rejected: weak referential integrity; too easy to break.
Table of contents
Accepted
2026-01-12
Multiple extensions need to call external HTTP services with centralized credentials, policies, and audit. We need:
We also want optional Rust (FFI or later sidecar) without forcing it on everyone.
We define a public SecureHttpClientInterface and a transport abstraction:
serviceIdinterface TransportInterface
{
public function send(RequestSpec $request): ResponseSpec;
}Backends:
PhpTransport (default; PSR-18 or Symfony HttpClient)RustFfiTransport (optional)SidecarTransportConsumers never talk to transports directly; they only use SecureHttpClientInterface.
Allow consumers to use PSR-18 clients directly.
Rejected: loses central policy enforcement and audit guarantees.
Require Rust transport for all installations.
Rejected: adoption killer; too many environments can't/won't run native code.
Table of contents
Accepted
2026-01-12
PHP FFI is powerful but increases attack surface if enabled broadly. Dynamic
FFI::cdef() at runtime allows binding arbitrary native symbols, which is
risky in web contexts.
We need a production-safe operational model that reduces risk and keeps behavior predictable.
If we ship/use a Rust FFI transport, we require:
ffi.enable=preload (or an equivalent
hardened configuration)opcache.preload) and not
dynamically in request handlingUse ffi.enable=true to allow dynamic FFI calls.
Rejected: unacceptable risk in typical web hosting setups.
Build a native PHP extension in Rust.
Deferred: could be considered later, but increases maintenance and build complexity.
Table of contents
Accepted
2026-01-12
Shipping native binaries inside extension packages:
We still want Rust as an optional performance/security feature where it makes sense.
Rust transport artifacts are distributed as separate platform-specific artifacts, e.g.:
Ship the native library inside the TYPO3 extension package.
Rejected as default; allowed only in managed/special cases.
Table of contents
Accepted
2026-01-12
HTTP/3 support is uneven across ecosystems and can be experimental in client libraries. For our target installations, correctness and operability matter more than "having HTTP/3".
We want to benefit from HTTP/3 where it works, without destabilizing the platform.
HTTP/3 is optional and controlled by:
Use HTTP/3 as the default transport mode.
Rejected: too risky, too unstable, too environment-dependent.
Table of contents
Accepted
2026-01-12
FFI does not provide true isolation. If the threat model includes "PHP process compromise", a separate process (sidecar/daemon) running under different OS permissions can provide stronger separation:
We don't want to block MVP with sidecar complexity, but we must not paint ourselves into a corner.
SidecarTransportDo not support a sidecar mode at all.
Rejected: too limiting for serious security requirements.
Build sidecar mode from the start.
Rejected: slows down MVP and increases operational burden prematurely.
Table of contents
Accepted
2026-01-12
We want auditability ("who called what, when, and with what outcome") without:
Audit is necessary, but must be safe and bounded.
The outbound audit log stores metadata only:
It does not store:
Log full request and response bodies for maximum detail.
Rejected: high leakage risk and storage blow-up.
Do not log outbound requests at all.
Rejected: undermines the core governance value proposition.
Table of contents
Accepted
2026-03-28
FlexForm vault secrets were not managed across record lifecycle operations. When a TYPO3 record containing FlexForm vault references was deleted, the referenced secrets remained in the vault as orphans, consuming storage and polluting audit trails. When a record was copied, the new record shared the same secret UUIDs as the original, meaning changes to the secret in one record would silently affect the other.
This created two distinct problems:
Implement processCmdmap hooks in the TYPO3 DataHandler to intercept
record lifecycle operations:
This ensures vault secrets follow the same lifecycle as the records that own them.
Table of contents
Accepted
2026-03-28
Every call to VaultService::retrieve() wrote audit log entries,
resulting in three database operations per read (fetch secret, write audit
entry, update hash chain). In frontend rendering scenarios where multiple
vault references are resolved per page request, this caused significant
performance overhead.
For a typical page with 5 vault-backed content elements, this meant 15 additional database operations per page render solely for audit logging of read operations. Write operations (create, update, delete, rotate) are infrequent and their audit overhead is acceptable, but read operations dominate in frontend contexts.
Add an auditReads configuration option that controls whether read
(retrieve) operations are written to the audit log:
retrieve() call is
audit-logged, preserving full read traceability.Write operations (create, update, delete, rotate) are always audit-logged regardless of this setting. The option is designed for use in performance-sensitive contexts such as frontend rendering, where read audit is less critical than in backend administrative contexts.
Table of contents
Accepted
2026-03-28
Master key providers re-read the key material from disk, environment variables, or re-derived it via HKDF on every decrypt operation. In requests that decrypt multiple secrets (e.g., frontend rendering with several vault-backed content elements), this caused repeated filesystem reads or HKDF computations for the same key material.
The master key does not change within a single HTTP request, so repeated derivation is pure overhead.
Cache the derived master key in memory for the lifetime of the current request:
sodium_memzero() to prevent it from lingering
in process memory.This follows the principle of minimizing key material exposure: the key exists in memory only for the duration of the request and is actively cleared rather than left for garbage collection.
sodium_memzero() on destruct ensures key material
does not persist in memory beyond the request.Table of contents
Accepted
2026-03-28
VaultService::list() suffered from an N+1 query problem. For N secrets,
the implementation executed:
This resulted in 1+2N database queries, meaning a vault with 50 secrets required 101 queries for a single list operation. This scaled poorly and caused noticeable latency in the backend module.
Add a findAllWithFilters() repository method that uses batch loading
to resolve all data in a constant number of queries:
WHERE uid_local IN (...).Group assignments are then mapped to their respective secrets in PHP, avoiding per-secret queries entirely.
list() API is preserved;
the optimization is internal to the repository layer.Table of contents
Accepted
2026-03-28
OAuth-related errors (token refresh failures, invalid grants, expired
tokens, provider errors) used the generic VaultException class. This
prevented callers from distinguishing OAuth failures from other vault
errors, making targeted error handling impossible.
For example, a caller wanting to retry on token expiry but fail fast on a missing secret had to inspect exception messages rather than catching a specific exception type. This is fragile and violates the principle of using the type system for error classification.
Create an OAuthException class that extends VaultException with
OAuth-specific factory methods:
OAuthException::tokenRefreshFailed(string $provider, string $reason)OAuthException::invalidGrant(string $provider)OAuthException::providerUnavailable(string $provider)OAuthException::tokenExpired(string $provider)Each factory method sets an appropriate error code and message, providing structured error information without exposing sensitive token data.
catch (OAuthException $e)
to handle OAuth failures distinctly from other vault errors.OAuthException extends VaultException,
so existing catch (VaultException $e) blocks continue to work.Table of contents
Accepted
2026-03-28
The current audit hash chain (see ADR-006: Audit logging) uses plain SHA-256 hashing without a secret key. While this provides tamper detection against accidental corruption or naive modification, an attacker with database-level access can recompute valid hashes after altering audit log entries, rendering the chain ineffective against adversarial tampering.
The original hash chain was designed for tamper detection (corruption, accidental modification), not for tamper resistance against database-privileged attackers. This threat model gap was identified during a subsequent security review.
Migrate the audit hash chain from plain SHA-256 to HMAC-SHA256, keyed with an HMAC key derived from the master key:
The HMAC key is derived from the master key using HKDF:
$hmacKey = hash_hkdf('sha256', $masterKey, 32, 'nr-vault-audit-hmac-v1');The info parameter "nr-vault-audit-hmac-v1" provides cryptographic
domain separation, ensuring the HMAC key is independent of any encryption
key material derived from the same master key.
Rather than rehashing all existing entries, a "chain epoch" marker separates legacy entries from HMAC-authenticated entries:
hash('sha256', ...).hash_hmac('sha256', ..., $hmacKey).The verifier handles both epochs transparently, selecting the appropriate algorithm based on the epoch marker stored with each entry.
The CLI command vault:audit-migrate-hmac migrates existing audit log
entries from epoch 0 to epoch 1. See vault:audit-migrate-hmac for
usage details.
vault:audit-migrate-hmac
command.The hash chain was designed for tamper detection -- catching corruption, accidental modification, or naive tampering. The threat model did not originally include database-privileged attackers who could recompute hashes.
This was a deliberate scoping decision: the initial implementation prioritized self-contained integrity checking without external key dependencies. The HMAC enhancement represents a threat model upgrade identified during security review.
Common issues and frequently asked questions about nr-vault.
No. This is by design. The master key is the root of trust for all encrypted secrets. Without it, decryption is impossible.
What to do:
Tip
Always keep a secure, offline backup of your master key. See File storage recommendations for storage recommendations.
Check the following:
tx_vault. prefixed settings.No. nr-vault requires a Composer-based TYPO3 installation. Classic
(non-Composer) installations are not supported. This is because nr-vault
depends on packages (such as sodium) that must be managed through
Composer's autoloader.
If you are using a classic installation, migrate to Composer first. See the TYPO3 documentation on Composer migration.
This error occurs when the encrypted data cannot be decrypted. Common causes:
The master key currently configured does not match the key used to encrypt the secret. This happens when:
The encrypted value in the database has been modified or truncated. This can happen due to:
Resolution:
tx_vault_secret table.This means nr-vault cannot locate or read the master key from the configured provider.
File provider:
0400).Environment provider:
echo $NR_VAULT_MASTER_KEY.SetEnv; for PHP-FPM, use
env[NR_VAULT_MASTER_KEY] in the pool configuration.docker-compose.yml or the orchestrator's secret injection.TYPO3 provider (default):
$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] is
set in settings.php .If you manage a large number of secrets, consider these optimizations:
VaultService::list() method with context filters
rather than loading all secrets at once. The service optimizes
queries when a context is specified.tx_vault_secret table includes indexes on commonly queried
columns. Ensure these indexes exist after migrations.Master key rotation re-encrypts all Data Encryption Keys (DEKs) with a new master key without changing the actual secret values.
Generate a new master key:
vendor/bin/typo3 vault:generate-key > /secure/path/new-master-keyRun the rotation command:
vendor/bin/typo3 vault:rotate-master-keyThe command will prompt for or auto-detect the old and new keys depending on your provider configuration.
Warning
Do not delete the old master key until you have verified that all secrets decrypt correctly with the new key.
To migrate existing plaintext credentials stored in TYPO3 records to vault-managed secrets:
vaultSecret renderType. See Developer for TCA
integration details.Run the migration command:
vendor/bin/typo3 vault:migrate-field \
--table=tx_myext_domain_model_connection \
--field=api_keyThis reads the current plaintext value, encrypts it into the vault, and replaces the field value with a vault reference identifier.
Clear caches after migration:
vendor/bin/typo3 cache:flushSee the table of contents for a complete overview.