Reputation: 733
Secure way to store encryption keys - PHP
I use openssl and mysql encryption trough PHP. Currently, I write the key in the php source code, but I think it isn't so secure. If someone gets the source (maybe FTP), encryption is broken. So, how would you store encryption keys on Linux server? I can't use another webserver to store the key.
Upvotes: 1
Views: 1900
Answers (2)
Reputation: 2635
I'm assuming you are using Apache.
Put the secret data into an environment variable in /etc/apache2/envvars, set the owner to root and the permissions to 400.
An attacker will have to compromise the server to put his hands on your key.
You can also cook up a script that asks for the secret when Apache starts (annoying, but even more secure).
Note that people with root access will always be able to get your key and trying to hide it from them is just a placebo.
Placebo solution:
- Make your application idle by default until you POST your key to an HTTPS page within the same application, save your key in a global variable and proceed with your business. You have to consider the PHP process' lifecycle (when the process terminates, you have to resend your key).
Upvotes: 2
Reputation: 211
I believe your best (according to your question and comments) bet is to just stick the keys somewhere on your directory space. Make sure they are not under www-root etc. Use appropriate file permissions (depending on your server settings).
Upvotes: 0
Related Questions
- encryption or Cryptography for store sensitive data
- Mysql encryption / storing sensitive data,
- How can I store sensitive data securely in a MySQL database?
- How to store encrypted data in mySQL
- Store 'sensitive' data in MySQL DB
- Secure way to store data in database
- Best way of encrypting text to store in mysql database
- php - storing encrypted string in mysql
- What's the best way to store sensitive data in MySQL?
- What's the best method to use / store encryption keys in MySQL