Download the PHP package madmatt/silverstripe-encrypt-at-rest without Composer
On this page you can find all versions of the php package madmatt/silverstripe-encrypt-at-rest. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download madmatt/silverstripe-encrypt-at-rest
More information about madmatt/silverstripe-encrypt-at-rest
Files in madmatt/silverstripe-encrypt-at-rest
Package silverstripe-encrypt-at-rest
Short Description Enable encryption of data at rest (in database)
License WTFPL
Homepage https://github.com/madmatt/silverstripe-encrypt-at-rest
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package silverstripe-encrypt-at-rest
silverstripe-encrypt-at-rest
This module allows Silverstripe CMS ORM data to be encrypted before being stored in the database, and automatically decrypted before using within your application. To do this, we use a secret key known only by the web server.
Caveats to understand
- It's important to note that this module does not guarantee the security of your data completely. You should only use this as a protection measure if you fully understand how the module operates. In most cases, encrypting the entire database is both adequate and similarly effective. Only use this module to encrypt data at-rest (on a field-by-field basis) if your layered protection strategy requires and accomodates it. To be clear - when encrypting data at rest, the data must be decrypted before being used. In almost all cases, the web server hosting the website is far more accessible to attacks than the the database server, meaning that an attacker who can compromise your web server will have access to both the database and the encryption key used to encrypt the data.
- Encrypting and decrypting data on a field-by-field basis has a performance overhead, which may produce undesirable results in your project.
- This module uses the
defuse/php-encryptionlibrary under the hood, which prefers strong security over performance. Encrypting lots of fields on aDataObjectcan significantly slow down any operations that read or write large amounts of data (for exampleModelAdminviews in the CMS that render 50+ records at once can take many seconds of processing power just to decrypt fields). Care should be taken to ensure only the minimal set of data is encrypted, and that this data does not need to be used frequently.
Requirements
- SilverStripe CMS 5.0
Installation
Install via Composer:
Once installed, you need to generate an encryption key that will be used to encrypt all data.
- Generate a hex key with
vendor/bin/generate-defuse-key(tool supplied bydefuse/php-encryption). This will output a ASCII-safe key that starts withdef. - Set this key as the environment variable
ENCRYPT_AT_REST_KEY.
For development environments you can set this in your .env e.g:
For more information view SilverStripe Environment Management.
Usage
In your DataObject, create new database fields using an encrypted field type. Note: It's not supported to convert an existing field that has data into an encrypted field. This might work but is not guaranteed. You should migrate your data by creating a new field, and creating a task to map old fields to new encrypted fields if necessary.
For example:
See the src/FieldType folder for all field types, or review the below list:
Madmatt\EncryptAtRest\FieldType\EncryptedDatetimeMadmatt\EncryptAtRest\FieldType\EncryptedDecimalMadmatt\EncryptAtRest\FieldType\EncryptedEnumMadmatt\EncryptAtRest\FieldType\EncryptedIntMadmatt\EncryptAtRest\FieldType\EncryptedTextMadmatt\EncryptAtRest\FieldType\EncryptedVarchar
Note: When saving in the database, all of these encrypted fields are stored as TEXT column types. This is due to the length of the encrypted data being generally much longer than the original text string. They do not take up table column space, but result in longer query execution times when many fields are included as the database needs to go retrieve all these fields from separate blob storage.
Note 2: These fields all extend from the base data type (e.g. EncryptedDatetime extends DBDatetime) so most common field helper methods can be used (e.g. $DatetimeField.Ago).
Data will be automatically encrypted when values are written to the database, and decrypted whenever that data is read back from the database.
To use decrypted values, you just use the value like you would in any other context. For example:
Usage within Silverstripe templates is also straightforward:
If you've use the Silverstripe CMS 3 version of this module, you no longer need to rely on the ->getDecryptedValue() method - the value will always be decrypted when accessing it.
Encrypting and decrypting arbitrary text strings and files without using the ORM
You can also encrypt/decrypt arbitrary text strings as well as entire files on the filesystem without using the Silverstripe ORM (e.g. without using DataObject). You might want to do this to securely communicate with an API for example.
