Where should I store an encryption key for php?

php security encryption administration
Levi picture Levi · Jul 20, 2011 · Viewed 7.5k times · Source

I'm writing a php application that accepts sensitive customer data, and so I need to encrypt it before storing it in a mysql database. I'm going to use mysql's built-in AES functionality to do column-level encryption.

I want to avoid storing the encryption key on the server, and so i'm going to provide a web-page for an administrator to log-in, and enter the encryption key. I want to store this key in memory while the application is running, but never permanently to disk.

What is the best way to do this?

Can I modify the $_SERVER array to store information between requests? Can I store the key with apache in some way? Maybe shared memory?

Answer

Explosion Pills picture Explosion Pills · Jul 20, 2011

Rather than rely on MySQL AES for encryption, why not use PHP's native openssl encryption scheme (a PECL extension). This requires a private and public key, public to encrypt, private to decrypt, and the keys can be kept in separate places.

Related questions

How do you Encrypt and Decrypt a PHP String?

What I mean is: Original String + Salt or Key --> Encrypted String Encrypted String + Salt or Key --> Decrypted (Original String) Maybe something like: "hello world!" + "ABCD1234" --> Encrypt --> "2a2ffa8f13220befbe30819047e23b2…

Read More
Simplest two-way encryption using PHP

What is the simplest way of doing two way encryption in common PHP installs? I need to be able to encrypt data with a string key, and use the same key to decrypt on the other end. The security isn't …

Read More
How to encrypt/decrypt data in php?

I'm currently a student and I'm studying PHP, I'm trying to make a simple encrypt/decrypt of data in PHP. I made some online research and some of them were quite confusing(at least for me). Here's what I'm trying …

Read More