Storing AES_ENCRYPT Key

This is more of a security question regarding using AES_ENCRYPT to generate encryption on开发者_如何学Python data being inserted into a MySQL database.

What is the best location in which to store the key that is used to encrypt the data ? Obviously not in the database ! :)

Well, you don't have many options. Wherever you put that key (database, code, file), it is easily found as long as other people has access to the machine.

What you could do is that you encrypt that key with another key based on some password (which is not stored anywhere, at least not locally) and ask for that password on the startup of the application. This way, you can store encrypted AES_ENCRYPT key into your database, decrypt it after logging in with your password and start using it.

Security by obscurity!

If your webserver is compromised, then the attacker can access the key, no matter where it's stored - since the code must be able to find the key to do the encryption/decryption - and the code explains where it finds the key. The only scenario where this adds real value is in protecting the data outside of the application (e.g. on a backup tape). However since you're compromising the DBMs's ability to optimize queries and creating a much bigger data footprint, for such a purpose as a backup, it makes a lot more sense to encrypt the backup or the filesystem - not individual data items.

Even if you use keys which are not permanently stored within your application (e.g. a HTTP basic authentication password supplied over SSL) there are still a lot of risks that the data will be compromised - and you've got problems with sharing data between different users.

In order to provide a sensible answer we need to know what the threat model is and whether you have external constraints such as PCI-DSS

The issues of securely storing keys and passwords used in your PHP / Python / other application on a server is not only related to hiding the keys from an attacker who has gained root on your sever, although you can make it more difficult for an attacker who has gained root to access them, it can eventually be done.

However, keys / passwords can be lost in many other ways and so must be protected. For example, if your software is being updated from a development environment, i.e. being pushed and pulled through a git server, you do not want the keys to be included in plain-text in the source code. That would give anyone on your development team access to them.

One option to store keys "more securely" is to have them configured as environment variables and then include them in your application by accessing that environment variable instead of having the key in "plain-text" within your application.

However, this requires that you set the environment variable to be persistent so that if you reboot the sever it will automatically be set again, or else you must set it each time you reboot.

If you are using Apache web-server, you may also set Apache environment variables for sensitive keys / passwords in the httpd.conf file, and then access them from your PHP script. You can also restrict the permissions on the httpd.conf file for only root to have read/write.

// Example use of getenv()
$sensitive_key = getenv("VERY_SENSITIVE_KEY");

// Example use of apache_getenv()
$sensitive_key = apache_getenv("VERY_SENSITIVE_KEY");

This means that the key / password is not included in the application source code itself, and will be less likely to escape the server.