PHP GnuPG encryption/decryption on a production webserver
Hi all,
I did search on this topic and found a troubleshooting thread (hence I used a similar subject line) but my question to those running a production webserver.
I am reviewing a few PHP classes that use the native gpg file as installed on a Linux webserver. I am building an email application and would like to use the public key infrastructure. Common locations for this binary executable are /usr/local/bin/gpg and /usr/bin/gpg but it has been my understanding to never allow a script (PHP in this case) to access a file outside of the public root directory for the webserver.
1. Can using this binary executable be exploited and be a security risk?
2. Can the binary be simply copied into a /scripts/ folder inside the webserver's root directory without compromising the server's security?
I have been researching encryption methods and techniques but I am not sure that developing an encryption scheme is the right choice. It seems that encryption is build into every Linux box out there and there should be an easy way to use what already exists and apply it in a production web application.
If this is the totally wrong approach, then what are other suggestions for open source encryption php software/libraries (for email & text) as used on Apache webservers?
|