Encrypt bank passwords in the conf file

Asked

Viewed 420 times

1

I have a PHP system with a config.php file to which are stored the passwords of the database, the problem and those passwords that are stored in this file this very exposed way I would like to know a safer way to store these passwords

follows below a part of the code:

define ("TIPO_BANCO", "pgsql"); #Tipo de banco utilizado ex: pgsql  
define ("LOCALHOST", "localhost");
define ("PORTA", "5432");
define ("BANCO", "teste1");
define ("USUARIO", "teste1");
define ("SENHA", "teste1");


define ("LOCALHOSTCG","localhost");
define ("PORTACG", "5432");
define ("BANCOCG", "teste2");
define ("USUARIOCG", "teste2");
define ("SENHACG", "teste2");

2 answers

1


I won’t say it’s not possible, but think about it this way. To access this file you need to have access to the server, if an unauthorized person is already inside your server, probably can access your bank even without this configuration file.

Another point that must be taken into account, to encrypt the data you would need a back and forth algorithm, that is, it can be encrypted and then decrypted, otherwise you will never be able to access the bank.

At this point you may be thinking it’s a good idea, but unfortunately, you’re only going to have the same problem, because the encryption key will be exposed, since you’ll need it to decrypt and connect to the bank, the same way as the configuration file and with it will be possible to decrypt the database data. Basically it’s the same thing to close a safe and leave a note on the door talking where this the password.

I hope I’ve helped in some way.

1

Gomes, I had similar doubts when I was setting up my site/server.

Even if we encrypt the configuration file, elsewhere in our php we would have to put the password to access the file.

The safety recommendations I found are: (Obs.: they apply to PHP-FPM with Nginx on linux, not to what extent they apply to other systems)

  1. Put the file "before" the web server root folder, but still accessible by the php process. Ex: If the page root is "/var/www/html" put your configuration file in "/var/www/" or another folder. So even if someone can list their files through the web server, the password file will be out of reach.
  2. Remove all "group" and "other" permissions from this configuration file.
  3. Change the file owner for the same user running PHP-FPM.

This brings us closer to the way linux stores private SSH keys. Only the user running PHP-FPM or the root user can access this file.

I hope I’ve been of some help.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.