3

I'm wondering why there are different ways to use the openssl functions in PHP:

  • pass a key as string (e.g. load it using file_get_contents(), or store it in an env variable)
  • pass a key file as a filename: file:///var/keys/private_key
  • load the key using openssl_pkey_get_private() and then free it with openssl_free_key()

Is there a reason to prefer a specific method? Do the last solution better handle how the key is loaded/freed from memory (and if so, does that have a security impact)?

Matthieu Napoli
  • 48,448
  • 45
  • 173
  • 261
  • 2
    One of the big differences is that `openssl_pkey_get_private` accepts a passphrase to decrypt the key, which the other methods don't... – deceze Feb 05 '16 at 09:53
  • @deceze that's a good point, I didn't think of that! I don't use a passphrase so I didn't notice that difference. I wonder if it's the only one though, I'm mostly curious about possible security implications about how the keys are loaded. – Matthieu Napoli Feb 05 '16 at 09:57
  • I'd expect `file://..` and `openssl_pkey_get_private` to be similarly secure, since OpenSSL can control what is loaded when where. Passing the key as a string means PHP stored it in its memory and garbage collects it at some indeterminate point, which is potentially much less secure. However, I don't know the exact implementation details, this is only speculation. – deceze Feb 05 '16 at 10:00

0 Answers0