i use gpg -- it took forever to figure out how to use it along with php (an o'reily book was essential). if it's installed on your server, i think it's a pretty effective way to store sensitive data.
function gpg_encrypt($msg, $sender, $recipient){
$gpg_path = '/usr/local/bin/gpg';
$home_dir = '/home/myhomedir';
$msg = escapeshellarg($msg);
$sender = escapeshellarg($sender);
$recipient = escapeshellarg($recipient);
$user_env = 'web';
$cmd = "echo $msg | HOME=$home_dir USER=$user_env $gpg_path " .
"--quiet --no-secmem-warning --encrypt --sign --armor " .
"--recipient $recipient --local-user $sender";
$output = shell_exec($cmd." 2>&1");
return $output;
}
function gpg_decrypt($msg, $passphrase){
$gpg_path = '/usr/local/bin/gpg';
$home_dir = '/home/myhomedir/.gnupg';
$filename = uniqid("");
$tmp_file = tempnam("/home/myhomedir/tmp",$filename);
$handle = fopen($tmp_file,"w");
fwrite($handle,$msg);
fclose($handle);
$passphrase = escapeshellarg($passphrase);
$cmd = "echo $passphrase | $gpg_path " .
"--quiet --no-secmem-warning --homedir $home_dir " .
"--batch --no-tty --passphrase-fd 0 --decrypt '$tmp_file'";
$output = shell_exec($cmd." 2>&1");
// delete first 4 lines
$output = eregi_replace("^([^\n]*\n){3}","",$output);
$output = nl2br($output);
unlink($tmp_file);
return $output;
}
you can test it using this script:
$secret_message = "This is a secret message";
$encrypted = gpg_encrypt($secret_message, "sender@server.com", "recipient@server.com");
$un_encrypted = gpg_decrypt($encrypted, "supersecretpassphrase");
echo "<p>encryped:<br />$encrypted</p>";
echo "<p>un_encrypted:<br />$un_encrypted</p>";
where 'supersecretpassphrase' is recipient@server.com's gpg passphrase.
make sure there's a world readable/writable "tmp" directory in your home directory. look to my other recent post on what the .gnupg permissions should be. let me know if you need help setting up the gpg keys as well.
