--- title: "Storing sensitive information outside of your codebase" date: "2024-02-14T06:18:38+00:00" summary: "Learn how to securely store sensitive credentials outside your codebase for Drupal sites, protecting privacy while maintaining functionality." image: type: "page" url: "/resources/storing-sensitive-information-outside-your-codebase" id: "bbc792d2-169c-439b-ae89-ba263362a614" --- From time to time, your website needs access to sensitive credentials, passwords, or other private information to function properly, but do not store the information in your version control repository for privacy reasons. For example, the following modules or third-party integrations may require a secret or access key: * Drupal modules (Shield) * Amazon S3 configuration variables (`s3fs_awssdk2_access_key`, `s3fs_awssdk2_secret_key`, `s3fs_bucket`) * Google Cloud Messaging integration variables (`push_notifications_gcm_api_key`) * Google CAPTCHA variables (`recaptcha_secret_key`, `recaptcha_site_key`) To make the information available uniquely to your website, while keeping sensitive information out of your codebase, use one of the following methods: * Create a [secrets.settings.php file](#secrets-settings-php-file) * Create a [nobackup directory](#nobackup-directory) containing your sensitive data Note Acquia recommends that Cloud Next users create a [nobackup directory](#nobackup-directory) to store their senstitive information. secrets.settings.php file ------------------------- Storing sensitive credentials in a secrets file and not in your website’s database means your private data won’t exist in your database backups. With this, you can distribute database backups to team members who might need a database snapshot, but do not need full access to external systems. To create and use a secrets file with your website: 1. [Connect to your server](/acquia-cloud-platform/manage-apps/command-line) using SSH. 2. Navigate to your home directory. 3. If the `secrets.settings.php` file doesn’t exist, create it. Important In Cloud Classic, do not create the file in the `/mnt/gfs/[sitename].[env]/files/` directory, as files in this are publicly accessible. 4. To make the secrets file available to your application, add the lines in the following example to the appropriate location based on your installed product: * _Cloud Platform_: To your website’s `settings.php` file * _Site Factory_: To a [post-settings-php hook](/site-factory/extend/hooks/settings-php) named `secrets.php` Important Add the secrets file to _all_ Site Factory environments. During the Site Factory [staging process](/site-factory/workflow/staging), the `secrets.settings.php` file will not copy down to lower environments. $secrets_file = $_ENV['HOME'] . '/secrets.settings.php'; if (file_exists($secrets_file)) { require $secrets_file; } Since the code uses `$_ENV['HOME']` to build the link to the `secrets.settings.php` file, you can provide unique files for your production and non-production environments. Important * Keep your own backups of your `secrets.settings.php` file. Backups are stored outside your website’s files area. The Site Factory [full-website backups](../site-factory/manage/website/backup.html) do not back up the `secrets.settings.php` file. * While upgrading from Cloud Classic to Cloud Next, ensure that you migrate the `$HOME/APP_NAME` folder. Using the nobackup directory ---------------------------- You can also create a special `nobackup` directory where you can place files containing sensitive credentials. For information about using the method, see [Storing private information in the file system](/acquia-cloud-platform/manage-apps/files/system-files/private).