But what do you do about the key? I have been trying to figure out a similar construct for our sites, but if you encrypt your data with a two-way algoritm, you will need a key to decrypt it. The question then becomes, where do i put that key. One option we are (sort of) considering is that the server will not restart without a user entering a pass-phrase that the server startup script then uses as the key for decryption. The obvious problem is that if the server goes down at 2 a.m. (U.S.) EST, then none of us are going to know about it until 9 the next morning. Many of our applications are deployed globally, so this just wont work.
Right now we keep the DB username/password in a single file stored outside of the web accessable directories, and since we are always on a dedicated server (or Virtual Private Server) its reasonably secure. In the end, it really comes down to the clients security needs too, some care more than others.
-stvnIn reply to Re: Re: Securing your scripts on webhoster's server
by stvn
in thread Securing your scripts on webhoster's server
by b10m
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |