Question about keychains/securing access to encryption keys

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Question about keychains/securing access to encryption keys

Post by mecha_godzilla »

Hi,

Quick background to this question:

I'm working on a web application that will need to encrypt/decrypt data. I'm fully aware of what the issues are with storing private keys on a web server but in this instance there's no alternative so I came up with the following 'scheme':

1. encrypt the data with a symmetric key
2. encrypt the symmetric key with a public/private key pair
3. encrypt the private key with a passphrase

I've since found out that this is how Weave works so I took this as a sign that if Mozilla can do this kind of thing then so can I :mrgreen: However, what I now need to do is find a way to store the keys in some kind of keychain so that they can't be easily copied or removed from the server. This keychain also needs to be accessible from my PHP scripts of course.

My questions are:

1. Can I use GnuPG's in-built functions to create a secure keychain or do I really need a dedicated app?

2. When SSL certificates are installed on Un*x/Linux servers, how are they secured?

3. Once someone's entered the correct passphrase once, is there a sensible way to re-authenticate the decryption process without keeping the passphrase in memory somewhere?

Thanks in advance,

Mecha Godzilla
Post Reply