Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security of storing an encryption key in PHP file

So I am encrypting data, storing it in the database, and decrypting it, using mcrypt. I am wondering if it's safe to store the key for encryption in a php file outside of the public_html directory?

The reason for storing it in a file is that it needs to be used for multiple encryptions, so that multiple users can decrypt some data, and I figured storing it in a file is more secure than in the database table, right next to the encrypted data.

What are ANY potential security risks? Is it at ALL possible for a hacker to gain access to this file and thus the key?

like image 571
Sneaksta Avatar asked Dec 11 '12 11:12

Sneaksta


People also ask

How does PHP store encryption keys?

Write a php config file and store it in your home directory. Allow only php to have access to it. $cryptKey = "aac1ebadcfabdef72376acd" ; Include at the top of every php page that uses the encryption key using an absolute path to the home folder.

Where are PHP keys stored?

The user 'key' is stored in the database; but the private key (application level) is stored as txt-file in the FS. Off course 'above' the web-root.


1 Answers

Storing it above the public_html is a good idea. Your file should have the correct permissions configured so that only the web server or users that require it can read it.

An option is to split the key up and store in different places, for example part of it in a file on the file system, and part in the database. The benefit of this is it's harder to get the full key for an attacker because they need to access both the file system and the database.

Also consider your server environment has an affect on security, for example shared hosting is less secure than a dedicated server.

No one can say that it's impossible for an attacker to access the key because that depends on your entire server setup and config. Server's are most often compromised through vulnerabilities in software such as web servers, so you should follow good security practices such as keeping your software up to date.

like image 100
MrCode Avatar answered Nov 15 '22 07:11

MrCode