Is it a security concern to store server-side key in plaintext in environment variables? And specifically with PHP, would I be safe by not calling phpinfo() or other kind of dumper?
Asked
Active
Viewed 480 times
0
DannyNiu
- 328
- 2
- 14
1 Answers
1
Yes, storing credentials in plaintext is always a security concern.
Depending on what you use those credentials for (e.g. database access), you might want to look at alternative methods of authentication, which do not rely on a pre-shared key.
If you do not have any options other than storing a pre-shared key in plain text, then there are still some things you can do:
Authentication Proxy between you and the server
The concept is simple. You can set up a proxy server between your web server and your target, e.g. a database. You use a strong authentication mechanism that is independent of your web server to connect and authenticate to the proxy, which then adds credentials to each request to the database.
This way, the credentials are never accessible directly by the web server.
Cleaning up after yourself
Storing credentials in an environment variable can be done right and horribly wrong.
The wrong way is this:
export DB_CRED=user:pass
mywebserver <options...>
Why? Because this environment variable is now exported to every other process from the same shell.
The very wrong way is this:
export DB_CRED=user:pass
mywebserver --credentials $DB_CRED
This is even worse, because any user on the same system looking at the running processes will see mywebserver --credentials user:pass running.
So what is the right way? It is to launch your application like this:
DB_CRED=user:pass mywebserver <options...>
Further, you must then unset this environment variable, once it is saved in a variable of your application.
Why is this better than exporting? Because the variable DB_CRED is only set for mywebserver. If the web server then unsets the variable, it does not exist for the shell anymore, only for the process.