Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Encyrption keys in Zephir extension?

Would there by any security added to a web application by putting the encryption keys into a Zephir extension? Instead of needing to read the encryption key from a file (which may accidentally be leaked or stolen), the keys would be available only through the extension. Or is this just security through obscurity without any real benefit?


Any raw-string in a .so library or DLL can be easily viewed using an utility like 'strings' on Linux/Mac or Hexdump on Windows:

strings ext/modules/

So putting your passwords there would only protect you against newbies. However you can create the passwords by using some algorithm that builds the strings at runtime:

let map = [0x77, 0x7e, 0x7d, 0x6a, 0x6d, 0x77, 0x6f, 0x79], password = "";
for key, value in map {
        if (key + 1) & 1 {
                let password .= value - 10;
        } else {
                let password .= value - 5;

The above algorithm is very basic, however it requires a disassembler to find the password out which increases the level of those who want to read it.

Great help and advice. Thank you.