Geek Answers Handbook

Where to store the encryption key when using AES encryption using PHP?

I use AES-256 bit in my web application:

http://www.utoxin.name/2009/07/automatic-db-field-encryption-in-cakephp/

One of the steps says to save the cipher and key used in the boostrap file. But what prevents someone from scanning the file system using PS or something else and decrypting the data?

What is the best way to protect data?

+2
source share
3 answers

If someone has access to all the files on your server’s hard drive, all bets are disabled. Thus, you cannot protect your data because your web server must still have access to it.

This encryption will protect you only from intruders who can access the database, but not the file system, for example. through SQL injection. And even in this case, they can read the data: depending on the specific leak, the webapp can happily decrypt it for them!

+6
source

(I understand this is an ancient question, but as the author of the related blog post, I wanted to add a few comments)

As the accepted answer says, everything is correct. Once your file system is compromised, there is no protection. In addition, yes, if poorly written, you can provide the data in unencrypted form. This tool was intended simply to simplify the processing of data encryption in the database. If you do not like the automatic decryption function, it would be trivial to remove the afterFind () callback for the behavior so that it no longer works, as well as any number of other adjustments that could improve security (due to convenience).

I hope this helps someone else who stumbles on this post. Someone has it since I just got a couple of hits on my blog from this question. :)

+1
source

In the unix window, you can save it to a file created by the user account for apache with permissions of 0600. This can be accessed by the root, so if it is protected, there is no problem. I don’t know on the windows.

-1
source

More articles:


All Articles