简体繁体 English

如何保护app.php加密密钥？（Laravel 5）

[英]How to secure app.php encryption key? (Laravel 5)

原文 2015-08-31 02:24:44 4 1 php/ laravel/ encryption/ laravel-5

According to this , Laravel supports encryption and decryption of data. 根据此，Laravel支持加密和解密数据。 It works well and is easy to set up, but my question is how secure is it really? 它运作良好且易于设置，但是我的问题是它到底有多安全？

What if the encrypted fields in the database are compromised and then the app.php file is also compromised? 如果数据库中的加密字段被破坏，而app.php文件也被破坏怎么办？ Then they will have access to the encryption key. 然后他们将可以访问加密密钥。

Is there a way we can programmatically secure the encryption key from hackers? 有没有办法以编程方式保护黑客的加密密钥？

This answer is certainly helpful, but I'm wondering if there is a specific method for Laravel apps. 这个答案当然有帮助，但是我想知道Laravel应用程序是否有特定的方法。 Appreciated! 不胜感激！

1 个解决方案

Laravel's encryption is strong, it uses the AES algorithm through MCrypt, which is a well known PHP extension. Laravel的加密功能很强，它通过MCrypt使用AES算法，这是众所周知的PHP扩展。

If your encrypted fields AND your encryption key falls into wrong hands you're pretty much screwed and there's nothing to do about it. 如果您的加密字段和加密密钥落入了不正确的人手中，那么您几乎就被搞砸了，也就无济于事了。

Fortunately, there are ways to secure the key. 幸运的是，有一些方法可以保护密钥。 First of all, don't you EVER put your key inside the app.php file. 首先，不要把密钥放在 app.php文件中。 Laravel 5 makes it easier than ever to use environments . Laravel 5使使用环境比以往更加容易。 Put your key inside a .env file and refer to it inside your app.php file. 将密钥放在.env文件中，并在app.php文件中引用它。

As those files lay outside the reach of the code you run through your public folder, you're good to go. 由于这些文件奠定您通过运行代码的范围之外 public文件夹，你是好去。 If someone with bad intentions finds a way to ssh or FTP into your server, this approach won't save you but also no one else will. 如果有恶意的人找到了将ssh或FTP到服务器中的方法，这种方法将无法挽救您，但其他人也不会。

I don't know what are you planning on encrypt but on the off chance you are thinking about securing passwords through encryption, please read on . 我不知道您打算如何进行加密，但是如果您打算通过加密保护密码，请把握机会继续阅读。