Page 1 of 1

Most secure way to store your encryption key?

Posted: Thu Oct 30, 2008 11:31 am
by phpNewb
I've spent the past 3 hours reading about data encryption and PHP. It seems that if you read 5 different articles, you'll get 5 different sets of do's and don'ts many of which contradict each other. Therefore I'm sure that each person that reads this post will have a unique security solution based on unique books and references. For that reason I'm asking for a specific response to a specific question. I'm sure there are many answers, and that's fine, but please stick to this specific issue...

What is the most secure way to store an encryption key (a string to be used with mCrypt) on a Linux/Apache server?

I am thinking of using a hash of 2 strings: A string hard-coded as a ('Security' class) object property, and an Environment Variable set using 'SetEnv' in httpd.conf file (or equivalent), which can be removed after each server restart so that it does not remain 'in a file'.

Please share any thoughts that you may have on my proposed solution as well as your own. Thanks in advance.

Re: Most secure way to store your encryption key?

Posted: Fri Nov 07, 2008 8:40 am
by josh
phpNewb wrote:What is the most secure way to store an encryption key (a string to be used with mCrypt) on a Linux/Apache server?.
I don't think anyone can answer that for you with 100% certainty. Security doesn't just apply to the software either, someone could root the box and dump memory contents or steal the physical box. Preferably the secure stuff wouldn't be geographically near the insecure stuff.

IMO your best bet is to use a "salt" and user based "pepper" on the string before encrypting the data