4

I have a PHP system and I need to store some tokens for operations like:

  • Database username and password
  • API token
  • Keys for encryption

It turns out that for a long time only I manage the source code, but soon other people will need to maintain the source code, with that came the fear of unauthorized access and the need to hide these values ​​in the development environment and have them only available in the production environment.

I've seen some methods that work for this, but they don't seem so fast or safe to me, for example:

  • HashiCorp Vault: Depending on a service running on the server, opening a cURL request for every code that needs a key (even the database), seems to increase the application's latency a lot.
  • .ENV: It seems to be a widely used mode, but I've noticed via logs on Cloudflare that several bots constantly try to access .ENV files at random URLs to steal credentials.

In addition to these methods, is there any other that is secure, practical and fast?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Tom
  • 163
  • 4
  • 1
    We have had several questions like this over the years. Have you searched the existing questions? https://security.stackexchange.com/questions/199248/why-use-env-whats-wrong-with-storing-secrets-in-a-config-php-file-outside-roo and https://security.stackexchange.com/questions/180243/best-practices-for-storing-credentials-used-by-code As asked, you have posed an open-ended question asking for lists. As for practicality and performance, those are outside the scope of the site, and will depend on your implementation. – schroeder May 28 '22 at 11:19

0 Answers0