[SOLVED] Data Encryption.............problem & suggestion

This topic is locked

[SOLVED] Â Data Encryption.............problem & suggestion	1/28/2021 2:14:35 AM
PHPRunner General questions
MarkRed author Hello everyone. Unfortunately, I have noticed that the encryption feature, as I was told, in the Enterprise version does not help to "lock" the data as the encryption key is clearly visible in the "connection" file <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=question&id=28093&image=1&table=forumtopics' class='bbc_emoticon' alt=':(' /> So, there is no way to protect the data and make it not readable. The encryption key should also be encrypted. We know very well that any host could browse our domain account. Now, the encrypted data, for example made with version 10.5, when the next version and others will come out, how would it be resolved if you wanted to update, how does the export of this data work? A suggestion, when opening the web page, you could ask the user for the encryption key which also resides in a database. Thanks for the exquisite attention <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=question&id=28093&image=2&table=forumtopics' class='bbc_emoticon' alt=':)' />

Mark as Solved Mark as not solved

2 replies


	Admin 1/28/2021
	I'm afraid you don't understand how encryption works. If you encrypt the encryption key you need to store the second encryption key somewhere in your code in plain text. So your data is as secure as the access to your PHP code. If someone can access your PHP code they have access to your data, doesn't matter if encryption is used or not. The point of encryption is to protect your data in case someone gets access to your database. However, if someone gets access to your code - your data is no longer safe. While asking the user to enter the encryption key is possible in general I haven't seen anyone doing that. The encryption key is a long set of hexadecimal characters, not something that you can remember and user will have to write it down somewhere. So it comes to the question, where this key better protected, on your server on in the end-user hands?


	MarkRed author 1/28/2021
	I'm afraid you don't understand how encryption works. If you encrypt the encryption key you need to store the second encryption key somewhere in your code in plain text. So your data is as secure as the access to your PHP code. If someone can access your PHP code they have access to your data, doesn't matter if encryption is used or not. The point of encryption is to protect your data in case someone gets access to your database. However, if someone gets access to your code - your data is no longer safe. While asking the user to enter the encryption key is possible in general I haven't seen anyone doing that. The encryption key is a long set of hexadecimal characters, not something that you can remember and user will have to write it down somewhere. So it comes to the question, where this key better protected, on your server on in the end-user hands? Thanks for reply <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=93698&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' /> I simply meant that any plaintext data, such as user, password, etc. etc., visible in the php connection file, should all be variables coming from an encrypted database table. Anyone who would have access to the databases would never see the data in clear text. I know it's a bit cumbersome but it would be much more effective. It is fair to say that the encryption key would be difficult to remember but with a simple "copy and paste", kept well somewhere else, it would be more comfortable. My idea would be: no sensitive data in php files, like user, password, decryption key - all variables. Another problem would be the backup of this data .... "encrypted" data that would work, for reading, only with PhPRunner and only with the version currently used. I am not only thinking of hackers but it is also difficult to believe that the administrators of a site are so honest that they do not read my data. Therefore, I am more convinced that my data remains safe, armored, in my Qnap Server. Anyway, thank you for the wonderful answer and with that I think I have "teased" to make some improvements, in terms of security, to this GREAT program from PhPRunner - the best in the world !!! <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=93698&image=2&table=forumreplies' class='bbc_emoticon' alt=':)' />

2 replies

Mark as Solved Reply