Download the PHP package uwdoem/secure-upload without Composer
On this page you can find all versions of the php package uwdoem/secure-upload. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download uwdoem/secure-upload
More information about uwdoem/secure-upload
Files in uwdoem/secure-upload
Package secure-upload
Short Description Secure file upload with asymmetric encryption.
License
Informations about the package secure-upload
Secure-Upload
This library is intended to help protect the contents of uploaded documents against an attacker who might gain file-system read-access to a PHP web application.
Using this library involves three main components:
- A public/private key pair.
- A web server for receiving uploaded documents. Uploaded documents are encrypted using the public key immediately upon upload, and then the unencrypted document is immediately destroyed.
- A file server from which your authorized users can retrieve uploaded documents. You will provide a process which retrieves encrypted documents from the web server and decrypts these documents onto the file server using the private key. Of course, you are responsible for maintaining a file server which you trust to host these unencrypted documents.
Note that the private key does not live on web server. If an attacker were to gain read-access to your web server while there were documents waiting to be moved to your file server, then the attacker would only see a set of encrypted documents and they would not be able to retrieve the private key which would give them the ability to decrypt these documents.
Example
For this example, we assume that:
- Your web server is running Apache, *nix, and of course PHP.
- Your file server may be either *nix or Windows.
- We use (Composer)[https://getcomposer.org/] for package management, but you can modify the example to work without Composer.
This example does not answer how to move the encrypted files from the web server to the file server. On *nix, you might choose to move them with an rsync --delete ...
command. On Windows, you could use WinSCP. Using an authorized_keys
file, it's possible to create an automated job on either *nix or Windows which could move these files over automatically.
Create a Private/Public Key Pair
To create a private, public key pair in *nix:
You should put the public copy of your key (my_key_name.pub
) onto your web server. But you should not put the private copy of your key (my_key_name.pem
) onto your web server. The private copy of your key will need to be on your file server.
Sample Web Application
Web application structure:
The uploads
directory must be writable to your Apache user. For example, you might use chmod o+w uploads
.
The composer.json
specifies the uwdoem/secure-upload
package as a requirement. You'll need to run composer install
to install this package and the vendor
directory.
composer.json:
We place .htaccess
files that block visitor access to the cert
and uploads
directories.
cert/.htaccess:
uploads/.htaccess:
The index.php
is our primary page.
index.php:
For each file that is uploaded, four encryption files will be created. For example 719b5e92a27aefb858982131e8d3be56.data
, 719b5e92a27aefb858982131e8d3be56.data.key
, 719b5e92a27aefb858982131e8d3be56.info
, and 719b5e92a27aefb858982131e8d3be56.info.key
. Each uploaded file will have its own unique hash, prefixing the .data
, .data.key
, .info
, and .info.key
files.
All four of these files must be moved to your decryption script in order to decrypt the uploaded file.
Sample Decryption Script
In the tree below, I have uploaded two documents using the web application above and moved the resulting files into my decryption scrypt:
The composer.json
specifies the uwdoem/secure-upload
package as a requirement. You'll need to run composer install
to install this package and the vendor
directory.
composer.json:
Here is the script which performs the decryption. Having placed your encrypted data files into the in
directory, you would invoke the script using php decrypt.php
.
decrypt.php: