So I am encrypting data, storing it in the database, and decrypting it, using mcrypt. I am wondering if it's safe to store the key for encryption in a php file outside of the public_html directory?
The reason for storing it in a file is that it needs to be used for multiple encryptions, so that multiple users can decrypt some data, and I figured storing it in a file is more secure than in the database table, right next to the encrypted data.
What are ANY potential security risks? Is it at ALL possible for a hacker to gain access to this file and thus the key?
Write a php config file and store it in your home directory. Allow only php to have access to it. $cryptKey = "aac1ebadcfabdef72376acd" ; Include at the top of every php page that uses the encryption key using an absolute path to the home folder.
The user 'key' is stored in the database; but the private key (application level) is stored as txt-file in the FS. Off course 'above' the web-root.
Storing it above the public_html is a good idea. Your file should have the correct permissions configured so that only the web server or users that require it can read it.
An option is to split the key up and store in different places, for example part of it in a file on the file system, and part in the database. The benefit of this is it's harder to get the full key for an attacker because they need to access both the file system and the database.
Also consider your server environment has an affect on security, for example shared hosting is less secure than a dedicated server.
No one can say that it's impossible for an attacker to access the key because that depends on your entire server setup and config. Server's are most often compromised through vulnerabilities in software such as web servers, so you should follow good security practices such as keeping your software up to date.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With