Alex Nikitin wrote:

It's never a good idea to store all your keys in code,

True, but in the system I was referring to, only the closed source
app knows how to "see" the key in the encrypted templates and there is no way for another to know how to decrypt the encrypted templates to see any of the other keys in the code... It's a unique solution for this type of topic. I don't want to go into too many details because it's not about PHP and my intention with bringing it up was to see if others knew of a similar solution within PHP.. which I'm thinking there is not.

that is why we have
an iv, and a salt that you can use... neither is program encryption, since i
can dump it in it's executing form out of memory fairly easily;

Well, not with the situation/app I was talking about..

this is why
hard drive encryption without a controller that does crypto off the main
system is fairly pointless...

I'm not exactly sure what you are saying here.. but there are good reasons to have built the system that I was referring to... safe retrieval of secured data being the main idea.

Look, I agree that in a typical online passphrase type of setup, creating a hash to be matched for access is a great solution under sensitive situations. You don't need to retrieve the pass as the owner can change it if they forget... however, encryption is absolutely not worth nothing and the O.P. stated he was trying to learn about PHP's mcrypt.

Much of the time, a spec requires the access retrieval of secured data and a developer will have no choice anyway ;-). Not all sensitive data is at the same sensitivity level either... so mcrypt has its place.


D Brooke

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to