I'm in the process of prototyping a file upload system for a service that needs a basic form of encryption for the files uploaded by users. All of the files uploaded will be uploaded to the same directory in which users can download and upload files freely, however only authorized users will be able to delete files from the uploads.
With this in mind, I need to know the best way to encrypt these files (via crypt()
or similar) for storage in a non-public-accessible directory for this purpose. I considered using the base 64 encode functions built into PHP to do this, but it seemed as if someone would be able to write a PHP script on another server to base 64 decrypt the files stored on my server, thereby rendering the encryption protection completely useless.
In summary, I need to know the best way to implement this (i.e. which functions or classes to use) so that it meets the following criteria:
$_SESSION
variables can decrypt the files that are encrypted.I may be worried about more than necessary, but I would like to make this as easy to use as possible with basic security. I'm not protecting anything particularly important such as credit card information or trade secrets, but the users I am designing for would like to have the peace-of-mind to know that there are at least some measures in place to prevent hacking of the files uploaded.
In PHP, Encryption and Decryption of a string is possible using one of the Cryptography Extensions called OpenSSL function for encrypt and decrypt. openssl_encrypt() Function: The openssl_encrypt() function is used to encrypt the data. Parameters: $data: It holds the string or data which need to be encrypted.
Right-click (or press and hold) a file or folder and select Properties. Select the Advanced button and select the Encrypt contents to secure data check box. Select OK to close the Advanced Attributes window, select Apply, and then select OK.
How do you encrypt decrypt data using a private secret key in PHP? Encrypted data can be decrypted via openssl_private_decrypt(). This function can be used e.g. to encrypt message which can be then read only by owner of the private key. It can be also used to store secure data in database.
base64 is not encryption.
If you want strong encryption, you'll want to think about using the GPG extension
Then you need to carefully consider your system architecture.
If the server needs to encrypt/decrypt files, the key will need to be on the server, and readable by the web server process. This means that if someone compromises your server, they probably have access to everything they need to decrypt your files!
Even worse, since your PHP app drives the encryption/decryption, all an attacker needs to do is get access to one of your users' accounts.
Encryption is only going to save you if an attacker somehow gets access to your file storage directory, but nothing else on the server. That's a very unlikely scenario.
In your case, it sounds like on-disk encryption is overkill. If the files are not directly web-accessible, that's probably enough. Focus instead on making sure the host system is secure (updated packages, good firewall rules), and that your application is secure (run it only under https, use best practices to defeat SQL Injection and CSRF attacks, require strong passwords, etc).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With