How to keep Suite DB pwd secure in config.php?

Hi,

Currently SuiteCRM db credentials are configured in config.php with no encryption.

How can this made more secure? Is it possible to store encrypted password in config.php?

Pls let me know.

Thanks.

Hi jeeva,

if your server is configured correctly, then the config.php file is not readable from outside.

In case someone would brake in and obtain access to this file, then all the files in this directory and subdirectories would probably also be exposed.

An encryption method for the password would require that PHP to be able to decrypt the password using the code and data available in this very same directory or subdirectories, which defeats its security purpose, as these would be compromised too.

If you set the modes correctly of all files and directories in the SuiteCRM directory they should only be readable by OWNER and GROUP.

On a Linux based system running the webserver as account “apache”

chown -R apache.apache SUITE_CRM_PATH
find SUITE_CRM_PATH -type d -exec chmod 0750 {} \;
find SUITE_CRM_PATH -type f -exec chmod 0640 {} \;

then no-one ON the machine can see the files other than root and apache.

If you ADD to your .htaccess file the following

<files config.php>
  deny from all
</files>
<files ~ "\.ht">
  deny from all
</files>
<files config_override.php>
  deny from all
</files>

then no-one will have access to those files from the outside.

Your password will be secure.

Jobst

2 Likes

Thanks :slight_smile:

Will try that out.