This is somewhat related to the whole PCI/credit card discussion a
couple weeks back. The consensus was basically "leave it to other
people" - however, what if YOU are the other person?

I wonder if anyone has some BKMs to share about encrypting data in a
web application. A lot of people take the most obvious approach, but
it's fundamentally flawed, that is:

I take data from the user, I encrypt it (using PHP crypto, or MySQL
crypto, etc.) and a key stored in my config file, and put it into the
database. Then when I want to get it back, I just use decrypt + the
key in my config file. The issue there? If you server is compromised
and the database is accessable, they'll have the key to decrypt the
data right off the server. They can pull down copies of everything or
even write their own script ON the server itself to extract the data.

This has been one thing that I have not really been able to figure out
yet. You could separate the servers, and figure out some very hard way
for them to communicate, but when it comes down to it, the webserver
needs to access the data. For example, the webserver could be behind a
fully firewalled setup that only allows MySQL traffic. However, the
webserver has to access the data still.

I assume the only solution is somehow storing the key in a third
place, so the accessor has to get the key somehow before accessing the
encrypted data. But again - how to automatically allow access for only
the webapp? I thought of per-user keys, but that isn't an appropriate
solution for something that needs to be encrypted using the same key.

Has anyone had to implement anything like this? Is there a good
whitepaper on something like this? Especially relating to HIPAA
requirements. PCI would be nice too, but I'm sure once this major
"unknown" in my mind is addressed, the general concepts are common,
probably just differences in levels of firewalling, cryptography
strength, physical access to the machines, etc.

Please keep this on topic - this is about the people who DO have to
address this issue, not something about "just offload it to other
guys" - that's an obvious choice already, and not one that is allowed
depending on the job.

Thanks :)

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to