I’m building an application which facilitates the upload of files. The application will have a case which files are assigned to and users are assigned to cases. The whole application is only accessible to logged in users.
Now my thinking is to create a folder structure for each case. Files will obviously only be served through a script, so no public downloads. The files may be of various contents mainly because it is a forensics based application.
My only problem is that I wonder if it is possible to prevent local access to these uploaded files. For example preventing someone from gaining access to the server it is hosted upon and modifying files or just accessing files. Could I encrypt the files and store keys in the database? I know if the database was gotten hold of then the encryption would be useless?
Is there a better way to achieve this functionality? does anyone have any feedback on how this could be accomplished?
I have a base app built using Zend Framework 2, but I am producing a research paper and what I decide here will greatly affect my research. Thanks
It is possible to encrypt the files, like you say, but it’s better to prevent access to the server in the first place. Once they hack your web server, what makes you think they can’t hack your database?
Also, if they gain access to the webserver, they have access to the script that serves the encrypted files. Since that script already has the functionality to decrypt the files, it will be a piece of cake to gain access.
Long story short: Protect the web server itself.