Shopping Cart Operations > Security
Data Encryption Manager Questions
webdevmerc:
I have read most of the forum messages that popped up in a search and the install documentation for Data Encryption Manager. I also have it setup and encrypted my addresses, customers and orders tables...Everything is working so I don't have an issue with that part.
I was wondering, what permissions should things have on the web server? A lot of docs have 777 and most files everywhere seem to be 755 as well.
Having lived as a Unix admin person in my past life, a lot of these files seem world readable. Even the system/config.php has 755 permissions. Is this normal and is this a security concern? The config.php file has all the database login info there so with that, you can access all the information (I used to have root access everywhere so maybe this is normal?, I was never in web-development)...
Also, what is the best or safe security practice for what I should or where should I store my encryption keys? Do I just leave them both in my keys folder on the server or delete the key pair on the server under my /path/to/keys/ folder?
Leave the .pub and delete the .prv?
I wasn't sure what is needed to allow the store to just work and I can run scheduled encryptions of customer data regularly I guess.
Thanks for any tips and info you can share.
Also, what is this line?
// Encryption key for protecting sensitive information. NOTE: Change of this key will cause a loss of all existing
encrypted information!
define('ENCRYPTION_KEY', 'somekey');
abolabo:
--- Quote from: webdevmerc on August 18, 2015, 07:40:06 PM ---Having lived as a Unix admin person in my past life, a lot of these files seem world readable. Even the system/config.php has 755 permissions. Is this normal and is this a security concern? The config.php file has all the database login info there so with that, you can access all the information (I used to have root access everywhere so maybe this is normal?, I was never in web-development)...
--- End quote ---
You can not to see content of config.php from web-side (i mean from your browser). It forbidden by .htaccess + php-file will interpretated as scenario but not plain text-file. If you can see it through other ways, such as ftp, ssh or some exploit or "backdoor" that mean you have the same privileges as web-server app (apache). In this case doesn't matter what file permissions was set.
eCommerce Core:
--- Quote from: webdevmerc on August 18, 2015, 07:40:06 PM ---I was wondering, what permissions should things have on the web server? A lot of docs have 777 and most files everywhere seem to be 755 as well.
--- End quote ---
Suggested permissions for PHP files are 644 (755 would be OK).
777 might be set for installation or upgrade purpose, but they need to be set back to 644.
IMPORTANT NOTE: Make sure required system directories are set to 777 (images, resources, cache, etc)
Here is a good read about PHP security:
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
--- Quote from: webdevmerc on August 18, 2015, 07:40:06 PM ---Also, what is the best or safe security practice for what I should or where should I store my encryption keys? Do I just leave them both in my keys folder on the server or delete the key pair on the server under my /path/to/keys/ folder?
Leave the .pub and delete the .prv?
I wasn't sure what is needed to allow the store to just work and I can run scheduled encryptions of customer data regularly I guess.
--- End quote ---
Store Keys in a separate location, not accessible to web. Move out side your web directory.
--- Quote from: webdevmerc on August 18, 2015, 07:40:06 PM ---Also, what is this line?
// Encryption key for protecting sensitive information. NOTE: Change of this key will cause a loss of all existing
encrypted information!
define('ENCRYPTION_KEY', 'somekey');
--- End quote ---
This is a standard key that is used to encrypt data (session, some configs, etc). This is basic, lightweight encryption. It is not related to SSL based encryption with Data Encryption Manager
webdevmerc:
Hi, thank you for more info! A few more questions below...
--- Quote from: eCommerce Core on August 19, 2015, 10:12:59 AM ---Suggested permissions for PHP files are 644 (755 would be OK).
777 might be set for installation or upgrade purpose, but they need to be set back to 644.
IMPORTANT NOTE: Make sure required system directories are set to 777 (images, resources, cache, etc)
--- End quote ---
My default permissions (after a manual install) seems to be set at 755 for all those folders and working ok so I'm going to just leave it at this. Do you think that'd be ok?
--- Quote from: eCommerce Core on August 19, 2015, 10:12:59 AM ---Here is a good read about PHP security:
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
--- End quote ---
Will read this when time permits.
--- Quote from: eCommerce Core on August 19, 2015, 10:12:59 AM ---Store Keys in a separate location, not accessible to web. Move out side your web directory.
--- End quote ---
Do I just move one key or both? If I move the keys away from the public_html/system folder, the current encryption of someone creating their account or setting up their address, email seems to break and not work. I guess I should just try to move/rename 1 and the other to test this...
More info helpful.
Thanks for your time and answers!
eCommerce Core:
755 is OK
You need to move both keys.
If you need to separate keys into different locations it is possible with small code change .
Navigation
[0] Message Index
[#] Next page
Go to full version