By the end of this piece we will have 3 files in our keys folder:
- keys - encryption_key - private.key - public.key
But what do each of these do?
encryption_key is obviously an encryption key but what does it actually encrypt? Well it could encrypt anything but in this case we'll be using it to encrypt data going into the database. Always a good practice if the chances of your database being attacked are more than zero. If your database exists, then those chances are indeed more than 0.
You probably won't need to encrypt everything in the database, but certain info like customer's addresses and phone numbers for example would be best encrypted.
Now on how to generate the key: there are any number of ways to generate one and really there are no rules as to what they are. That said it is always best to use a randomly-generated one, you could just open the
encryption_key file and mash your keyboard, but I prefer a more scriptable approach!
Either write a PHP file and run it, or run
php -a to open a php shell and run (or write into the file):
file_put_contents('./keys/encryption_key', base64_encode(random_bytes(32)) . PHP_EOL);
The path will depend on where you currently are in the directory of course.
And you should end up with something like
Now for the private and public keys, what are these for? These aren't anything to do with encrypting data on the database, these are instead for signing and verifying the access tokens given to users of our API.
We will generate them using the RSA algorithm which is known as an asymmetrical algorithm. That means it generates a private key and a public key. The private key signs tokens and the public key verifies that those tokens have been signed with the private one. For this reason, while the public key is safe to share you must NEVER share the private one.
We generate these with 2 commands, these are done in the shell and not PHP (although you can also use
shell_exec within PHP but why do that if you don't need to?) First for the private key:
openssl genrsa -out ./keys/private.key 2048
And it should display something like
Generating RSA private key, 2048 bit long modulus ....+++ ...+++ e is 65537 (0x10001)
Next for the public key:
openssl rsa -in ./keys/private.key -pubout -out ./keys/public.key
And it should display
writing RSA key
Notice how the public key generator took the private key as an in parameter? That's because these keys always come in pairs, so any change at all to either of them will render the other one useless. We also used the -pubout flag to tell openssl that it is a public key we're generating. I have just generated some disposable ones to show you an idea of how they should look:
-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAn4K9KYR9odmyKFKh49QflqMggqGDrpHg9sC0cFiqIs80oAZk VrffiIG2qpKBuidFfwzy1DD3TfzBoI7A7jeKG+gzh5jz6fWtVTf4bgTQx0N19BM0 KieO20Iyi2jwSWo2JyLFret4tQmV+8BmXXlK/TfvxTFGcjgYvyh7/u8V1nxvlg+8 E7+FbV9l0zH00H+YSjho4FhexwloHBq6b+fgnW6BijKYC6LeK2ckFB32na9n88Mi Q97Lujjd/BhGuXHj8RmWfa9ueXzGreKYsKYfLvh3mOjl4yzIbjOlVIlTJYfMsjQi piftxsIHRqkcVlGBAxSLWyxMacGG2nzlO5FJqwIDAQABAoIBADoB2Hq1tN5cBZ8G Vds9c/NbBWKcDAA7Cr2RXM0SYWThR3j+ehTTL1Y8HcqwFr80suA+PDyQRg81YNDb uSuoRPBbJAomxGULs+ouvYh89dPRI58MMMc3tYrk6u6pzeBU4LagvZS+8hmcD9AK qu9JQc0OP4LNpZm57r3tohIWrjFeYk/4G06cjknvN4xSrV+Iw+EvwAnH+o3F0dWG ZerEAmHIpfIFZcAyJKyIW9+RVhqhiTNEJ2uZ4tGKLvW2wDL5OeUhk7dgGxgVqaGY b+dwEHCdfpsrsQ176d0R91RygRvJl9nE7JNgNU2wPRlUluD6HtemdRp1hF8G2e7k VuZhJzECgYEAzmbtH/mK0sIY3+z9CAi5IyDBDxJcdu4NZlnn3WhnQdAO64tFlgWU KT3cSPwFHzyOpeT2/EfdD2Tqbg8MQM9SNnrj6i9hZliR/myJExGMTEVUcG31y5er dGPVSgjxCLCwVRCckcSTmz2FKsl0FZJQuVOY+2USJomGqyPWenhEwdkCgYEAxdc7 1p/lGCuLQIwCOo6AI9Qbs+MZ955gETu2uF37d93qMisv/mh+K/e5k5xgD3XtXLm4 wLTPNt3cpenT4PIRXFa7dX4z4dKap4X/T2vzXDZ5iFj5LhFnv88p7GsD6e5UiI5I Cyh8Wdzi0X6Ym5evGrKSrjXFQqrzPCcRFNsqcSMCgYAd5n83gJkByyh7WAOX5Fud oSMWodxPRlEeoKucQYGj4RYoPTbJculxyApfcFL1oXowwiidh3OYxU/IvdlSkjYg ulDGHjMH9pC/wM1iu8oNSoXe+6793WzzIXtGjGEOlzoUOKHV5BpWBOWDu0db0KRt FJU25f9pIccmh7yMZVvgkQKBgFOotTwHtzemSidMTTD3y0XbTq+dzABCr3r6FkUW MN06MOtwCcZ550iuY4IA8Tn4cxvvySlsC+e2n7RlEVyg4Ch84J5JdKT8irtmVVT/ YBRRUMkQXqZVY9rfPmojwq7sQkDQcbSONS9G0X8nGl9JIBmZA5+5SyXq5ho8puN7 3hGjAoGAchv3dqnzMg/YYW6s5kOvwqVEejWE1KgAfGOXza2G110F8RaJAicVHHSv PFxygBbM+Tf4ffn++y2AgWRnqjttdarUBHLe7wCnm7rR5u6V7dr4k8jHSLgqQv13 iXyWkAwbdsnkIslitQMrT5EcBpSV2vn0bl2ljPTBeMzjYOA2XTo= -----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn4K9KYR9odmyKFKh49Qf lqMggqGDrpHg9sC0cFiqIs80oAZkVrffiIG2qpKBuidFfwzy1DD3TfzBoI7A7jeK G+gzh5jz6fWtVTf4bgTQx0N19BM0KieO20Iyi2jwSWo2JyLFret4tQmV+8BmXXlK /TfvxTFGcjgYvyh7/u8V1nxvlg+8E7+FbV9l0zH00H+YSjho4FhexwloHBq6b+fg nW6BijKYC6LeK2ckFB32na9n88MiQ97Lujjd/BhGuXHj8RmWfa9ueXzGreKYsKYf Lvh3mOjl4yzIbjOlVIlTJYfMsjQipiftxsIHRqkcVlGBAxSLWyxMacGG2nzlO5FJ qwIDAQAB -----END PUBLIC KEY-----
So now we have all the keys we will need!