So I was reading over the docs on how to encrypt stuff https://docs.phalcon.io/en/3.3/crypt and also saw an example here on how to setup an encryption service. https://docs.phalcon.io/en/3.3/crypt#service.
I'm not in love (at all) with storing a global key in this manner. Just curious what others thing of my implementation.
So I have a key that I have stored encrypted in .phalcon/somekey.gpg. When the server starts up, (and memcached is started), I run this simple command to decrypt the key by entering a password I have in my head, set it to stdout store it in an environment variable, then store it in memcached.
$ ~ SOME_KEY=$(gpg -dq --no-symkey-cache .phalcon/somekey.gpg) php -r "\$m = new Memcached(); \$m->addServer('localhost', 11211); \$m->set('SOME_KEY', getenv('SOME_KEY'));"
Then in my
config.php file, I have a value for my key.
$m = new Memcached(); $m->addServer('localhost', 11211); return new \Phalcon\Config([ 'database' => [ // db stuff ], 'application' => [ // app stuff ], 'secret_key' => $m->get('SOME_KEY') ]);
Then in my crypt service, I reference
secret_key to be used. Thoughts? I'm trying to do what I can to prevent someone from gaining access somehow and then running
tar / to capture the key, and I'm not storing the key in the db, but in RAM. I'm also trying to do what I can to keep the key safe on the same server (instead of calling another server to do the encryption as that (I image) would cause a significant slowdown from making many calls within the model to decrypt all the fields individually.
Also curious on anyones thoughts on key rotation and how that would look in Phalcon? I have some models setup with
afterFetch() with automatically decrypting and encrypting variables so data is stored encrypted at rest, but also dynamically decrypted so I don't have to manually do it all the time. How would one go about rotating an encryption key on all the data that is at rest with the
afterFetch() events being set the way they are?