I am storing very sensitive information which can be accessed through a php interface. I am currently working on where to store the encryption key. One idea is to store it outside the www folder, storing it in the database is not an option.
Any idea's how this can be done? My idea is that I create a file outside the www folder and only make that file accessable by the webbserver then I load the key from it with PHP and decrypt the data.
How should this key be generated?
Is there any reason you can't define the key in a PHP file outside of WWW and then just include that?
... /home/martin/keys/encryptionkey.php
<?php
$SUPER_SECRET_KEY = "abcdefg";
?>
And then in your main code
include("/home/martin/keys/encryptionkey.php");
echo $SUPER_SECRET_KEY;
Regarding how to generate the key it has a strong dependancy on the type of encryption you are using. Check the relevant PHP documentation. It is usually sensible to have a reasonably long randomly generated key.
The example on mcrypt_encrypt uses:
$key = pack('H*', "bcb04b7e103a0cd8b54763051cef08bc55abe029fdebae5e1d417e2ffb2a00a3");
Huh, encryption and security on the web is very very complex matter and quite out of the scope of this question.
In general, you can't protect your data just like that. You need to consider many other factors involved in data protection, starting from physical security of server, network security, application security, used encryption algorithm and many other things.
If you really care about your data, start reading first articles on this web site: https://www.owasp.org/index.php/Main_Page
https://www.owasp.org/index.php/Top_10_2013-Top_10
Then watch for example this video to see how bad it is!
