Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
afih2015-04-27 22:04:28
PHP
afih, 2015-04-27 22:04:28

How to protect the encryption key in php?

There is a task - to encrypt the data (details) of users in the database (postgresql).
I got acquainted with the question of another user . I did not find a clear answer.
Requirements: the data must be safe, even if they got access to the server, merged the database, got all the project scripts, and so on and so forth.
Previously used perl(dancer). There I solved the situation as follows: before starting the server, I loaded a text file with an encryption key. During dancer startup, the file was being read and deleted. The key was kept while the dancer was running. If: the dancer daemon crashed or a user with administrative rights entered, the encryption key was erased from memory.
Current development should be implemented in php.
I tend to the solution - writing a php extension that will pull the encryption key from a neighboring resource.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
S
Sergey Savostin, 2015-04-27
@savostin

Do the same - store the key in memory.
In memcahed or in shared memory.
You can store in $ENV (for example, create a php-fpm config with $ENV set dynamically before launch and delete it after launch).
You just need to think about an automatic restart, you never know ...

Report
X
xmoonlight, 2015-04-28
@xmoonlight

A daemon (db-wrapper) is written to a socket that receives a key from a file (or another host) to decrypt the result of the database inside this daemon process. Key salt - stored inside this process, bound to a domain or MAC interface.
The daemon runs as a different user with reduced privileges than the web server and PHP.
It is possible to decrypt the data directly on the client via JS.
But, that's a completely different story....

Report
O
OnYourLips, 2015-04-27
@OnYourLips

Anyone who gains access to your server can put a breakpoint where the key was used and read it.
The idea with dancer is interesting, you can use a similar script and a variable in memory.

Report
S
SagePtr, 2015-04-28
@SagePtr

On the server, the key is stolen or the code that steals it is injected.
On the client, if you calculate, they will also replace the scripts and be able to steal.
So far, I see only one option - if a program signed by the author's EDS will be used as a client, which will not fully trust the server. And when downloading updates, check their EDS and only then install. As a result, even if the server is hacked, they will not receive the key with which the author signs the program and will not replace it, and the user's keys will not go anywhere beyond the client. Although here they can replace the program installer, but only new users will receive it.

Similar questions
G
GRO242019-08-30 15:23:29
Why doesn't Bootstrap 4 align blocks? 2Reply
I
ITpie2021-03-25 20:16:06
How to make docker to test python code with certain libraries? 3Reply
P
Pavel2014-05-18 14:34:20
How to set up Chrome DevTools Autosave on windows? 4Reply
O
Ob1van2016-06-24 15:03:47
How to correctly configure suricata ips in af_packet mode ubuntu 16.04 server behind a transparent TOR gateway. Is it possible? 1Reply
S
student_it2015-04-19 11:49:55
How can I prevent the Referer from being sent when playing an audio file via the HTML Audio tag? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question