Has anyone ever encrypted their settings.php file to increase security and protect senstive data in cases on a hack?
Any suggestions or thoughts, or direction would be appreciated.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- DhrupDeScoop@Dhrup2000
DhrupDeScoop - 0 likes
- Ray J@RayJ
Ray J - 0 likes
- DhrupDeScoop@Dhrup2000
DhrupDeScoop - 0 likes
- Ray J@RayJ
Ray J - 0 likes
- Roger Leitch@notdodgy
Roger Leitch - 0 likes
- anotherelgguser@anotherelgguser
anotherelgguser - 0 likes
- Cash@costelloc
Cash - 0 likes
You must log in to post replies.issue will be how you plan to encrypt and then decrypt the data ? gets into the area of "encryption technology.." rather than an elgg issue. besides if you get hacked and they can get to your settings.php ! you are pretty much dead !!
Yes, and the encription will require a ELGG core hack. But, BTW, you must store the encripted key in a place. Is not safe, at all.
+ Ideally.. you will need a very good robust 2-way encryption algorithm (might I suggest "Rijndael"?)
Dhrup: Yes. A basic public/private key concept. But I don't see an easy solution in PHP world. In Brazilian Stocks Exchange we developed a database connection class where you setup only the name of database. The connection string was stored in another place and encripted. The developers and the administrator doesn´t have access to database login. But we talking about a enviroment where safety is REALLY needed. :)
Is it feasible to relocate the settings file?
e.g. outside of document root, like the data folder is.
Would this increase protection?
@Roger, that seems to be the most viable solutions, various other sites were suggesting that method.
I assume there is no elgg specfic solutions.?
Hit the settings file directly. What shows up? Nothing. What are you trying to protect against?