I’m looking for a secure way to store FTP passwords in a database that are usable only by specific users. The FTP details should be stored in a way that if the entire database is exposed that the FTP password isn’t exposed. This probably should rely on the user’s password to temporarily unencrypted the FTP password only when the user prompts for a FTP action. I’m looking for a solution that could implement this. Probably useful to add it concerns a web based application using javascript and php.
This is not about how to use salt, hashes, md5, sha1 etc. This is about securing FTP passwords that the server should be able to use e.g. connect to a FTP server with. This is simply not possible with hashes because those are only one way. Some symmetric password method should be used.
Example use case:
- User logs in to server
- User tells server to download file from his FTP details stored securely on the server
- Server looks up the FTP details and removes the encryption (possibly with the users password) This question is about how you implement this step effectively
- Server does whatever it has to do and then removes the unencrypted password
You could use Mcrypt: http://php.net/manual/book.mcrypt.php