+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Securing your encryption key (/showthread.php?tid=6523)
Securing your encryption key - El Forum - 03-02-2008
[eluser]bikuta[/eluser]
I am writing an application that needs to have very high security in terms of data protection. I was thinking maybe I could use the encrypt CI library, however I'm not sure how I can protect the key.
Is there anyway to protect the key if someone gains access to the server? I didn't think there would be, but I could be wrong.
What would be the most secure way to store the key?
Is there a way to encrypt the php script, i.e., to protect the application source code? so that way even though they can read it, they would not be able to understand it.
Securing your encryption key - El Forum - 03-02-2008
[eluser]Michael Wales[/eluser]
I would probably just ensure my server is configured correctly and there are no known vulnerabilities (patched, etc.). Obfuscating the PHP will merely keep them from seeing an encryption key for a web application - they still have access to your server.
By eliminating the latter, you eliminate the former.
Securing your encryption key - El Forum - 03-03-2008
[eluser]kevinprince[/eluser]
Following on from Micheal I totally agree that a fully patched server is your best protection as it is a properly configured firewall.
The other option for high security is to use Client size SSL, however the file you send to the client is like giving away a key and shouldn't replace basic ACL.
Securing your encryption key - El Forum - 03-03-2008
[eluser]bikuta[/eluser]
Ok great so that confirms a few things.
What about if I want to create an application for someone, but I don't want them to see the source?
Securing your encryption key - El Forum - 03-03-2008
[eluser]Michael Wales[/eluser]
Technically, yes there are tons of PHP compiles/obfuscators out there.
Morally, if someone pays for the app they should be able to see the source. If they don't pay, you obviously trust them, it's an open source application, or they are a friend/associate - why wouldn't you let them see the source?
Securing your encryption key - El Forum - 03-03-2008
[eluser]bikuta[/eluser]
I was thinking hypothetically, because even if someone pays for the app, they could potentially reuse the code, which may not be part of the agreement.
Securing your encryption key - El Forum - 03-03-2008
[eluser]Lone[/eluser]
Ioncube is what we have found to be the best in the past. Keep in mind you shouldnt ioncube the CI system files - just your application files.