Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I use openssl and mysql encryption trough PHP.
Currently, I write the key in the php source code, but I think it isn’t so secure. If someone gets the source (maybe FTP), encryption is broken.
So, how would you store encryption keys on Linux server? I can’t use another webserver to store the key.
I’m assuming you are using Apache.
Put the secret data into an environment variable in
/etc/apache2/envvars, set the owner to root and the permissions to 400.An attacker will have to compromise the server to put his hands on your key.
You can also cook up a script that asks for the secret when Apache starts (annoying, but even more secure).
Note that people with root access will always be able to get your key and trying to hide it from them is just a placebo.
Placebo solution: