We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Encyrption keys in Zephir extension?

Would there by any security added to a web application by putting the encryption keys into a Zephir extension? Instead of needing to read the encryption key from a file (which may accidentally be leaked or stolen), the keys would be available only through the extension. Or is this just security through obscurity without any real benefit?


Any raw-string in a .so library or DLL can be easily viewed using an utility like 'strings' on Linux/Mac or Hexdump on Windows:

strings ext/modules/test.so

So putting your passwords there would only protect you against newbies. However you can create the passwords by using some algorithm that builds the strings at runtime:

let map = [0x77, 0x7e, 0x7d, 0x6a, 0x6d, 0x77, 0x6f, 0x79], password = "";
for key, value in map {
        if (key + 1) & 1 {
                let password .= value - 10;
        } else {
                let password .= value - 5;

The above algorithm is very basic, however it requires a disassembler to find the password out which increases the level of those who want to read it.

Great help and advice. Thank you.