stored password practices gpg, crypt_gpg, gnupgme, crypt

totus

I've made some headway with Crypt_GPG.

Note, if you're using Plesk make sure to make Pear and gpg binaries accessible via the host dir directive in the specific domains vhost.conf file. 😉

Here is a good source: http://mattiasgeniar.be/2008/08/20/how-to-enable-pear-packages-in-plesk/

It will cure all your Crypt_GPG troubles.

The next endeavor is securing the decrypt function which I thought I would bounce off all of you php gurus.

Currently this is the way its currently being done:

<?php
require_once 'Crypt/GPG.php';

$emsg = $_POST('ENC'); 

$gpg = new Crypt_GPG(array('debug' => true));
$gpg->addDecryptKey('dummy@dummy.com', 'HEREISMYPASSWORDWORLD!');
echo "Message is: ". $gpg->decrypt($emsg);
?>

I DON'T THIS IS SECURE :xbones:. ANY PHP SECURITY GURUS WANT TO THROW A BONE??

What methodologies can be used to here to not display the password in the script itself?

Cheers,
totus

laserlight

What exactly are you trying to do?

totus

I'm not wanting the password in plain text visible within the script.

laserlight

No, what is this password going to be used for? What is the bigger picture of the problem that you are trying to solve?

This is needed to determine if the password can be provided on demand, or if you can use a hash of the password, or if you have no choice but maybe to place the password in plain text outside of the document root.

totus

The password is being used to decrypt the message via crypt_gpg. The big picture is that the password according to sample script has to placed within the php script. I don't think this is good security practice. I realize that it cannot be seen via the web, however if one were to gain access to the script itself, the password is in plain site. Is there a way to place this password in another area and call it, much like a mysql connect?

laserlight

totus wrote:
I realize that it cannot be seen via the web, however if one were to gain access to the script itself, the password is in plain site. Is there a way to place this password in another area and call it, much like a mysql connect?

If you want to do that, then my third option applies: define the password in a file outside of the document root, then include that file and use that variable. As such, even if the web server fails to invoke the PHP interpreter and spews out your PHP source code for the user to see, the password will remain inaccessible.

However, depending on your setup, other users on the server may still be able to access that file.

totus

Thanks laserlight! I will give this a try