• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Obfuscating encryption_key

#1
I am currently writing a web app where much of the data stored in the database will be encrypted using the CI encryption library.

The obvious single point of failure here is the encryption key which is stored in plain text in the config file and so I'm trying to think of ways to either obfuscate this or at least make it harder to recover in the event that the server is compromised.

The best solution that I have so far come up with is to store the encryption_key in a file external to the server on amazon AWS and restrict access to this file to the IP of the web app server. I would probably base64 encode this too.

As I see it this would protect the sensitive data in the case that the server is compromised as, assuming the breach was momentary, if the external file containing the base64 encoded encryption_key was not downloaded then the data would be safe.

I'm not particularly strong on encryption and data security and was wondering if anyone could suggest improvements to this system, or an alternative method. I appreciate that I'm not going to be able to achieve absolute data security I'm just trying to make things as hard as possible in the event of a full server breach.

Thanks,

John
Reply

#2
If the server is compromised to the point where they can read the plain text in a config file then they are probably able to have their way with the code that retrieves the key from a secondary, external server. I don't mean to say storing the key on a different machine is a bad idea only that it's not enough.

This article will give you some useful thoughts on the matter. And this article has a reasonable examination of key management along with additional information resources.
Reply

#3
I'd take a look at AWS Key management store. They can rotate keys for you in environment variables which is securely passed in via the aws sdk.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.