Docker Example for Protected ENV values
This repository is an example of a setup using Apache's
envvars, and external file and
open_basedir to prevent direct file access to the confidential settings.
Clone the repo and run:
docker-compose build; docker-compose up;
Then go to http://localhost:80 to see the output.
How it works
When the build is performed, the following happens:
- All of the files are copied up to the machine (for
- The Apache configuration is updated to include a version of
ENC_KEYvalue set via
SetEnvand using the environemnt variable
open_basedir.inifile is copied over to the right place. This is a PHP ini configuration that enables the
open_basedirsetting and restricts the PHP process from accessing files outside of
test-settingsfile with the
ENC_KEYvalue is moved to the right place
- The contents of the local
envvarsis appended to the main
vhost_alias module is then enabled and the Apache server is restarted. Once it's restarted and you can visit the page and see that, while the script can't access either
/etc/apache2/envvars directly, the
ENC_KEY value is available in the
What does this solve?
In some recent discussions, it was noted that, even if you put the key for your application encryption outside of the
DocumentRoot of your app it would still be readable by the PHP process. If a Local File Include attack vector was found, this would allow an attacker to read this key and the code used to decrypt the data in your application.
This setup prevents this as the key value, despite existing on disk, cannot be read directly from PHP. Instead it is referenced via the
Take this with a grain of salt, however. If the attacker is able to upload a file that can be executed as PHP, they have full access to the values in
$_ENC including any sensitive values loaded using this method.
Another issue is server breach and the fact that the file with the key is sitting on disk. However, if the attacker has breached the server, you have more to worry about than just a single encryption key being exposed...