Best way to save encrypt/decrypt key?

Question

I'm developing a wordpress plugin. In that plugin the user need to type some important login details, which I will use in a cron-job.

I will of cause like to encrypt the password, and found this useful stuff: Best way to use PHP to encrypt and decrypt passwords?

However, how should I save the key? I can't save it in a file, since all files will be replaced when the user update the plugin. And save it in the database, well - that's not exactly smart i guess.

Any suggestions?

Answer 1

I think its better, if you save the key on the database table. About the part of securing the database and making sure that the data in the table will only be accessible by the authorized person, You can create a second user, with the privilege of accessing and reading such vital tables.

Therefore, create a separate user, who will have the authority to access the table and its contents. Now, use the website, with a different user, and switch to a administrative database user, when you need to access the encryption key and other vital information.

Answer 2

If you encrypt, you would still have to then store the encryption key on the same machine - only code obfuscation could slow down the attack from happening then.

In the best case scenario, only your database is vulnerable, in which case storing the encrypted password in the database and the key in the filesystem is not a terrible solution.

Worst case scenario, the system was throughly compromised. In this case, no amount of encryption is going to save you if you have to store the key in plain sight. Obfuscation might complicate matters, giving the owner enough time to secure the account.